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The languages people use to communicate 
with computers dirfer in their intended apti- 
túuags, towards eitnoar a particular application 
SS catar pbasesaí computer use 
(high level programming, prcgram assembly, job 
scheduling, etc.). They also differ in physi- 
cal appearance, and more important in logical 
Sauer ur szene zalbestiionzarises, .00:tChe 10I10- 
svncrasles reflect Lassie logical properties of 
Che arlsationssshat are being catered for? 
(06, 2. DO). 


CHAPTER 1 


OA OLENS STRUCTURES 


Introduction 


The last decade has produced many areas of interest 


witnin the field of computer science, “his thesis is con- 
cerned with the subarea of computer systems, and more 
specifically the virtual design (abstrected from any par- 
ticular physical nardware) for networks of asynchronously 
operating digital computers. In addition to being appro- 
priate for networks, the general design presented in this 
thesis can be used to describe current logical operating 
systems and can provide a framework within which to design 
languages. 

Early digital computers were very simple, had only 
limited structures within which users could formulate 


solutions to their problems, interpreted only simple 





2 
seauences of instructions, and were under the complete con- 
trol of one user at a times, Input and output was normally 
mier user program control, and only minimal control func- 
tlons ere provided such as test and skip cn certain flags, 
famitbed jumps, and instruction modification, 

Users soon desired to construct more complex compu- 
tations. More general control structures were introduced 
along with ways of communicating between program parts. 
Extended machine languages were developed to exploit these 
new features. Users could now do more, and they soon 
found that such tasks as the routine testing for external 
Maveractions, were wasting much of their capacity. The 
resulting concept of interrupt, which was “apparently in- 
reduced mitho the UNIVAC 1103" to obtain good input/output 
(BN71) dia away with this annoyance but introduced a more 
complicated control structure. A well-defined program 
organization was required so the users could cause the 
processor to focus its attention on the appropriate pro- 
gram part at thes appropriate tims, along with methods of 
resolving logical conflicts due to the asynchronous ar- 
rivals of these interrupts. 

The need to improve system performance and lower 
Job costs by using parallelism, in conjunction with the 
interrupt, resulted in multiprocessor computer systems. 


The use of simple I/O processors caused the CPU to be 








U 


poorly utilized when only one user program was resident 
in the machine at a time. Better CPU usage was achieved 
with multiprogramming operating systems (time multiplexed 
programs proceeding in a pseudo parallel manner). ‘The 
concept of digital "process" as a sequence of process 
states was developed as the abstraction of these inter- 
a prentities. Early processes were not very complex, 
and although each process could proceed in pseudo par- 
Aci obner processes, littie or no explicit “inter- 
process interactions were allowed. As users became more 
sophisticated, more complex intraprocess state structures 
and control operations were developed. The process state 
nermally ineludes both Information to direct the processor 
in its operations and the information which the processor 
manipulates in response to such directions. 

The ability to create multiple processes soon led 
to a desire to use a set of parallel processes to accom- 
plish a single purpose thus requiring the support of more 
Pernera ICCT Process imteractlons. New problems were cre- 
ated by multiprocess systems because of the need to share 
resources., The physical system needed to multiplex its 
physical assets to achieve some optimal goal, while the 
logical processes needed to share logical resources (for 
example, the information in files) amongst themselves 
while protecting these objects against misuse by a bor- 


rower. 





As experimentation with interprocess and systein 
user relationsnips procéeded, a need developed for the 
management of uncooperative processes, If a user process 
is completely isolated from all other processes including 
e system as was true in earlier operating systems, it 
Can be uncooperative and only the user of that process is 
affected. Such isolation is no longer feasible because 
of the diverse user population which must now be served. 
Many systems being developed are attempting to fulfill 
these needs by permitting a user to construct multiprocess 
computations and allowing substantial internrocess inter- 
COn cada nene control of other proessses. 

The design of a computer system to support a gen- 
eral user community can make no simplifying assumptions 
Cencemning their reliability It must allow for users who 
are subject to making errors and who may even intention- 
ally try to circumvent the system to achieve their own 
goals. One of the essential concerns when designing a 
general purpose system is that it be able to support such 
potentially uncooperative processes while guaranteeing 
the integrity of the system. As users employ more com- 
plex interprocess interactions, they require access to 
more complex facilities. 


The delegation of such services and decisions to 


the user process opens the way for the possibility of 





Significant unsocperative behavior which the system can 
OOO IPrevents In order to prevent such behavior, 

the system designer would have to make arbitrary a priori 
decisions as to what is to be considered uncocperative be- 
havior by ali of the processes to run on that system. How- 
Ee ci LI ISR? rocess interactions are permitted, only the 
users of the system (through their processes) can decide, 
in gereral, when uncoonerative behavior has occurred with 
respect to these interactions. It is impossible for the 
system to prevent uncooperative process behavior without 
imposing worse case restrictions on all processes. 

Mime Calmmcecde lcs FO “control tne effects of such 
bmiemoperative behavior by regulating the scope of the 
effects of the interprocess interactions of each process. 
If one process within a system claims another is being un- 
Yair, either some outside authority must arbitrate or they 
MIS "Came CO a jemnt solution, in which*case they have 
ipl LCawmys formed a jormtieauthnorivy. A generalization of 
the system/user relationship is necessary if a network de- 
sign is to permit delegation of the control of interesting 
interprocesss interactions. » Users must be delegated the 
authority to control the processes over which they have 
Teno. Or example, a2 US€reprocess Should have 
tics amen cose ontrol the processes it creates, as 


a time sharing system process has to control the processes 





it has created for users. Users must be provided a me- 
chanism for exercising their authority, where the rules 
of responsibility say it is appropriate, thus permitting 
them to control tne interactions of those processes which 
they feel need be controlled. At the same time though, 
those processes not under their responsibility, must be 
Provided protectioeasfrom their authority. 

Ore final need becoming apparent today is for sys- 
tem designs to be portable. F. C. Withington (Wi72) makes 
some interesting observations about future computer sys- 
tems. He claims that because there will be sienificant 
hardware cost performance improvements Mc tear future, 
machine Independent appTTeatlons which are mortable will 
be more economical than "optimized" machine dependent 
applications. Application systems would not need to be 
rewritten solely because the physical hardware upon which 
they are implemented is changed. He predicts that the 
next generation will include network systems and then 
forecasts that 

the operating system will vermit the network 

of processing modules to be widely varied; 

the user will be able to add, subtract, and 

upgrade them individually, without undergoing 

the pain of conversion. The ‘generation cycle! 

we have become familiar with should end, and 

orderly evolution should become the rule. 


Today's software systems are very complex and can- 


not be rewritten easily for a new hardware system. If 


Withington's predictions are corract, the benefits of 
weiting everything for a virtual (not machine dependent) 
System structure, and then implementing this structure on 
new physical devices would far outweigh the inefficiencies 
Amesto any speciíddo implementation of that virtual system. 
The implementer cf such a virtual system could use trans- 
lation, or Waitve's macros (Wa70), to ease the implementa- 
tion job, but the user would not have to be concerned with 
the move, If the virtual system is augmentable, to meet 


Special needs, users may be able vo gain some of the same 


<D 


Mei encies they now get by writing for a particular vhy- 
Soo Machina whilesstill getting portability. 

imordo? temsgomhan lity to bes successiul, sa clear 
distinction must always be made between the virtual struc- 
tures defined and the physical implementation of then. 
The general acceptance of virtual address spaces and vir- 
tual processors has proven that ít is not necessary to re- 
quire the logical and physical mapping to be l-1. A gen- 
ema desien, that clearly separates the logical- and phy- 
Socie. pls macessary if portability is to be 
achieved. Only then does the design not become con- 
strained to a particular type of machine (perhaps at the 
cost of sacrificing some specific efficiencies of each 
machine). 


With the advent of networks, composed of different 





8 
kinds of digital computers, transportabilitv becomes even 
more imperative. If the complex is to be a useful vehicle 
for sharing resources, then tne whole network must provide 
a consistent face to the user. Even if all of the communi- 
Gaurow Liverifaces are vne Same, the users wili be reluctant 
to exploit the network if they must interface with a dif- 
ferent operating system at each node., A user may wish to 
moye a process between nodes. This means a standard inter- 
Pac nisl pe Uemnedmmer USer processes at a level which 
assume no particular physical architecture or devices, 

The virtual system designer should not define what par- 
ticular physical. resources the implementer must have. The 
imptementers of the virtual system must be given the flexi- 
bility to select those physical resources which permit them 
to optimize their implementation subject only to local man- 
agement constraints. If hardware is developed which will 
improve their implementation, they should be able to use 

it without requiring any change in the logical system the 
user sees. The only effect on the user should be a change 


in the cost performance. 


Current Work 

Since it is impossible to discuss all of the litera- 
ture relevant to this thesis, attention wi11 be focused 
primarily on those systems which represent the logical 


structure within which users define their problems and 
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DO oya a implementation or appliesenen Problems. Since 
the COSINE report (Co71) contains a general discussion of 
the area of operating systems and provides an introduction 
to many of the terms that will be used in this review of 
cen Ono rcal Chiort will be made to define speci- 
Fic terms here, Those terms which are used in later chap- 
ters wilt be expiained and defined at that time within the 
Someexo Ol che network being developed. 

Of primary Interest in this thesis are those works 
Beten deal wich networks of digital computers, the process 
state structures supported by systems, and the operating 
environment provided for user processes. This includes 
Mee Cacepes Of Control and parallelism, the interactions 
among processes, and the ability of a user process to man- 
age resources. Papers dealing with the protection end al-- 
location of logical resources and with portable systems 
are also of interest. The remainder of this section will 
attempt to survey some of these areas to indicate the logi- 
cal structures currently being used. 

Networks: Networks of general purpose digital com- 
puters are becoming accepted as a viable way to provide 
computer services, and interest has developed in how to 
unio isuen networks to allow inereased availability of 
physical and logical resources, Farber (Fa72) defines a 


computer network as "an interconnected set of dependent 
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or independent computer systems which communicate with 
each other in order to share certain resources such as 
programs or data and/or for load sharing and reliability 


reasons." 


CONDAL Ve. SADO FEA 


* 


quote was taken provides a brief introduction to seven 
"typical networks" and some of the probloms involved in- 
cluding organization and management of such networks. 
Warber's article discusses the networks with respect to 
organization, composition, number and geography of nodes, 
machiive sizes, and communication interfaces. Companion 
artlales by Stefferud (St72) and Hootman (Ho72) 1cok at 
networks from a manager's point cf view, including such 
questions as "who is management," "where it resides," and 
network economics. None of the articles discuss what 
operating system structures must be provided in a network 
te fulfill these responsibilities, and none of them make a 
clear distinction between the physical systems and the 
logical systems which will be using the network. Imple- 
mentation management problems relating to the accounting 
OF physical assets is included, but not how the logical 
processes willl be able to manage logical resources dis- 
tributed over the network. The desire of users to create 
multiprocess computations and manage logical resources by 


user defined techniques is being overlooked, even though 
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it appears this may be desired more in a network than in 
Bent systems. Although the technical interconnection 
problems "show promise of being solved" (St72), the pro- 
blems of how to use networks, and the political and man- 
agement problems, must also be solved before a user will 
be able tio write interesting and useful general systems 
which can exploit networks. 

Information concerning the "ARPA" network is the 
most readily available. Two series of papers (CC70,HK70, 
RW70) and (CH72,0H72,TH72), along with some companion 
Papers provide a fairly ‘complete cistussion of 10. The 
purpose of ARPANET wes to provide "a network that would 
ame Lor the interconnection, via commen=carrier cir- 
Cures , OP dissimilar computers at widely separated, ARPAS 
sponsored research centers" (OH72). 

Each node has an IMP (interface Message Processor) 
which “acts as a nodal switching unit and also inter- 
connects the research computer centers" (HOSTS) (OH72). 
Originally, a user accessed the network only through a 
HOST, but it soon became desirable to provide direct 
terminal access which was done using a Terminal IMP (TIP). 
The TIP provides the services of connect and disconnect to 
remote sites, and then becomes transparent to the conver- 
sation between user and HOST. It is not the intention of 


this thesis to go into the implementation problems of 
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HOST to HOST communication. The interested reader is re- 
ferred to the papers for a more complete description of 
these prablens. 

"The growth of the network has dynamically cata- 
lyzed an area of computer science which has to do with 
the quite general problem of how programs should inter- 
eommenteate, whether in a single computer or between com- 
Deeers  (Ol/2). in the ARPANET, an attempt was made to 
provide a general mechanism allowing user-level process- 
to-process communication (CH72). Interprocess communica- 
tion is carried out in a simplex manner using one of the 
256 logieal cennections, Since each HOST in the network 
names its own processes, "sockets" provide a unique name 
in aname space divided among the HOSTs. Each HOST then 
maps socket names onto the processes. Processes are cre- 
ated according to procedures local to thelr respective 
He wMome ca MisGetnverrace Wath a network control program 
(NCP) resident in each HOST to be able to communicate. If 
the conversation between processes is to be duplex, two 
Connection mustrbe made. 

A process uses local operating system calls to tell 
the NCP to send a message to a specific socket. The NCP 
interacts with the ARPANET to send the message to the re- 
Comet Semestern zuhicch chen uses appropriate system 


primitives to dellver the message to the process with the 
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destination socket. One major weakness of the ARPANET is 
that "System calls will vary from one operating system to 
another" (CC70). The ARPANET has no concept of a network 
operating system it provides for its processes. 

buOCesccmme nesuse sof the termeiprocess," asaaecon= 
cept relevant to computer systems became common in the 
literature as a result of its use by two separate groups: 
project MAC at MIT used it in 1964 as a "precise concept 
in discussing design problems of multiprcgrammed computer 
systems" (De70) and Dijkstra used it in 1965 when he pub- 
lished his work on "Cooperating Sequential Processes" 
(D167). It is somewhat surprising that the connotations 
of the many formal and informal definitions of process 
are similar even though each definition was designed to 
PE within a certain contexta A survey of these defini- 
tons can be found in the introduction to Horning and 
Randall's "Process Structuring" (HR71). Their definition 
Ommpmecess sicgeasetiollows: 

A triple (S, f, s), where S is a state vari- 

able set, f is an action function on that set, 

and s is the subset of the state space of 5 

which defines the initial states of a process. 

A process generates all the computations gen- 

erated Oy its action function from its initial 

states, 

Fitzwater and Hintz (FH71) present a definitional 


system which allows the designer to represent a process 


state, define a processor, and then validate the design 
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by observing the system behavior as the processor works 
on that stave. Their definition of process is an "inter- 
pretation sequence of process states." This definitional 
system is useful because it relates processes to the con- 
cepts of system, complexes of such systems, and asynchro- 
nous communication between the members of this complex. 
This system is convenient for providing a formal defini- 
tion of a design to remove any ambiguities. 

A digital computer system has the property that 
there is one or more points in its execution sequence at 
which its state can be observed and its behavior studied. 
A process state normally contains a process name space 
or data part, and a program part which directs a proces- 
sor in its transformation on the process state. 

Although the ARPA papers talk about creating a 
process in a HOST system and allowing processes in separ- 
are ls vO Communi cave using the network,» there is no 
formalism of the properties of a process or of its states. 
Each system is controlled by the physical system manager 
and there are no network operations, other than communi- 
Cao Wilemmone process Can@inveract with a™process 
in some other systen. 

Although identifiable processes, as components 
computer systems», were originally very simple, they 


have become more general and more complex, Dijkstra 
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(D1i05,67,68,71) has investigated logical process coopera- 
tion, when no restrictions exist on their relative speeds, 
The cooperating processes have access to one or more var- 
lables, which they can cooperatively check to see whether 
mot to proceed into a “critical section." Although a 
process may have to wait logically on other processes be- 
fore entering its critical section, it proceeds asynchro- 
nously at all other times. 

Numerous recent designs use the concept of a pro- 
ee: In describingetheir system. "THE! (Di68) is a “so- 
ciety of sequential processes with undefined speed ra- 
tios" where "harmonicus cooperation is regulated by means 
CMmconiacit synchronizing statementestlimeAlsberc's (AL71) 
"OSL/2" is an implementation of Dijkstra's hierarchial 
concepts in which a process can create and monitor new 
processes, thus becoming an operating system for them. 
"ESOPE" (BB69) permits processes to interact via inter- 
process communication and control other processes by using 
activate, block, create and destroy. "TENEX" (BB71) per- 
mlts a user to create a process tree hierarchy with mul- 
tiple simultaneously runnable processes where a parent 
controls the children. The "RC4000" system (Ha7la) is 
basically a "monitor. that can be extended with a hier- 
archy of operating systems." Any program can initiate 


"other programs in a hierarchial manner and execute them 
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according to any strategy desired." In all of these sys- 
tems, a process is normally considered as a potentially 
asynchronous executable entity with communication some-~- 
times possible between it and other processes in the sys- 
tem, 

Control: Some concept of control (what is to be 
done next) is present in one form or another in all sys- 
tems and computer languages. When talking about programs 
Dennis (DV66) describes a "locus of control" and Denning 
(De58) a "thread of control." With respect to multipro- 
gramming and multiprocessing systems, control may be con-- 
sidered as the switching of the attention of the proces- 
sors among the various programs in the system, and can be 
described at various levels of abstraction (for example, 
machine instruction execution, program instruction se- 
guencinga, or multiprogramming). 

Fisher (Fi70) says "the control structure of a 
programming language is its sequencing or interpretation 
rules and as such provides a programming environment which 
encompasses any task within that language." He foes on 
to say that there is a need for more than a "step by step" 
concept of control so the "point of view" with which pro- 
biems can be attacked is not constrained. Both his intro- 
duction and that of Herriot (He71) provide good discussions 


of control. 


PU 
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Control structures in most early computer languages 
were not much more complex than the machines upon which 
they were designed to be run. One instruction was se- 
quentially executed after another with conditionals, jumps, 
and later subroutine jumps as their only control mechanisms. 
Systems were normally dedicated to one user at a time, 
and it was only to provide services for the convenience 
or the users that a basic operating system was developed. 
Although operating system designers soon included concepts 
of system/user relationships, multiprogramming, and 
multiprocessing, there was little development of languages 
fOmeaimine such concepts. 

SIMJLA (DN67) introduced the concept of coroutine 
and SIMULA 67 (DM68) extended this to "gquasi-parallel sys- 
tems." Nested blocks similar to SIMULA main blocks were 
allowed, resulting in a tree of nested coroutines. "Task- 
master" (FM65a, FM65b) (a real time system) similarly or- 
ganizes its tasks in a tree structure. Every Taskmaster 
task has several ALGOL like statements which may receive 
COmeceimairectivefromabhe scheduler, or as a result of 
elock or outside interrupts, rather than sequentially from 
other tasks. A significant disadvantage of "Taskmaster" 
Lsm@ene requirement that all users ccooperatively return 
Comurolevemtne schedulersbefore the nexbetask can be exe- 


cuted; 
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Dijkstra's work with cocperating sequential pro- 
cesses has interested researchers in the definition and 
implementation of systems permitting process nteraetsons, 
along with the associated problems of mutual exclusion anā 
Synchroni.zation. The implementation of "E&V" type opera- 
tions usually is based on having only one physical pro- 
Gassor or 8 sharable memorye(OSL/2 (A171), ESOPE (BB69), 
ChEGANO (BE71), THE (Di68), Venus (Li71)). Efficient im- 
plementation of "P&V" operations, when these assumptions 
are not true, might be difficult. Other systems permit 
interprocess interactions through a form of logical com- 
munications other than the use of shared variables (GE600 
(BD69), TENEX (BB71), ARPA). One example of how the solu- 
tiom of “critical section" probivems using "P&Veoperations 
could be difficult to implement (on a multiprocessor sys- 
tem), would be when the processors are using a "cache" 
like buffer memory. There is normally no update of the 
information buffered by one processor if another processor 
Changes a buffered variable. Special features would have 
to be introduced just to handle the "P&V" operations. The 
ARPANET was forced to use a message system instead of 
"P&V" type operations for interprocess communications 
since processes could reside in different HOSTs which did 
not share memories. Wirth (Wi69) complains that "P&v" 


may be too primitive anyway, since the synchronization of 
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Toosely connected processes natrally ecnsists of the in= 
terchange of messages, as is done in ordinary life. 

Most systems do not guarantee either the order of 
execution cr the length of time a physical processor will 
be applied to each process. Individual processes effec- 
tively proceed asynchronously, exsept through their own 
piscine logical synchronization. For example,r a common 
way of handling interprocess communication is by synchron- 
izing the two processes through such primitives as block/ 
Wakeup or block/cause (BD69, S069). Requiring a process 
to go to sleep, when waiting for a message, implies a sin- 
gle thread of control in a process and no logical inter- 
rupt facilities. Wirth (Wi69) feels this is good because 
"The interrupt effectively consists of the insertion of 
one or several instructions at points of the program which 
can neither be foreseen nor reconstructed." On the other 
hand, it prevents the process from doing other work while 
waiting for messages. OSL/2 (A171) has no concept of an 
interrupt at the logical level, and as the author points 
out, must be completely "command driven." Rose (Ro71) is 
the only author wno specifically discusses "multi-threaded" 
processeo, althotien@ multiple threads are implicit in the 
few systems which demallow transfer to a specific address 
for the delivery of a message. 


System-programmers recognized early the usefulness 
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of faults (error conditions which occur during the execu- 
tion of an operator ín a processor), and interrupts (sig- 
nals from sources other than the processor itself) but 
user application languages have been slow to Include such 
concepts. PL/I (IB68) introduced the "ON condition," but 
most other languages have no such feature. Needham (Ne71) 
feels that all faults should be handled within the process 
using a trapping mechanism. AS a general mechanism, he 
Says a process should have a "catastrophic address" to 
which control is transferred when all else fails. The 
major problem with most present implementations of faults 
is that they are not handled by the user in the environ- 
Men women they ocewirred, but@are treated as interrupts 
to independent environments. This distinction only becomes 
essential in multiprocess systems. The system designer 
cannot expect to know everything each user wants to do, 
and therefore can implement only arbitrary design decisions 
in such system provided fault handling routines. 

Interactions and Ressources: Early computer systems 
were not concerned with interprocess interactions since 
they supported only one process (user) at a time. As sys- 
tems became more complex, the number of concurrent users 
increased, and the amount of resident information accessi- 
ble to the executing processes increased. Uncooperative 


process behavior by design or default became a dangerous 
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potentiality, and the control. of interprocess interactions 
weeamewa necessity. At first the trend was to isolate the 
process completely, both logically and physically, but it 
soon became apparent that suitable facilities had to be 
provided to permit processes to interact. 

Since interprocess interactions (mutual or recipro- 
cal action or influence of one process on another) will al- 
Ways exist, some form of protection must be provided. A 
good overview of process protection can he found in Co71 
and De7l. Most computer systems, designed for multipro- 
gramming provide some control over process interactions, 
such as privileged instructions or memory protection, For 
example, the IBM 360 memory hardware protect and the Mul- 
tics (Or72) segmentation binding within a ring, were de~ 
Signed to limit a process's access to its logical address 
space repfardless of where it resided physically. Use of 
Senlerarchlcal directory, with the system checking access 
ASES the Usual Way Of protecting user files, One 
problem in Venus (Li71) is the lack of segment protection 
which requires but cannot ensure that all processes be co- 
operative. Most of the other systems make use of disjoint 
logical process address space (GE600 (BD69), ESOPE (BB19)). 
TENEX (BB71) and Multics (Or72) integrate the file system 
into the virtual process address space, binding segments 


to a logical name only at execution time. They hope to 
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make sharing of data and procedures simpler since two lor- 
teal names can be used by Br processes, and can be 
mapped onto one physical name representing the shared in- 
Imation. Ong of the major difficulties of permitting 
interprocess interactions only through shared segments is 
that the occurrence of race conditions is encouraged, which 
Must be ssolved by expensive cooperation, and requires phy- 
sical systems to always provide a way of sharing memories 
even in & network. Interprocess interactions using com- 
Moa cation do not have this difficulty. 

Achieying process protection by using separate logi- 
cal address spaces, created a need for sharing logical en- 
Pos ne concepto a logical resource which can be 
passed to a process was developed. Which entities are to 
be considered resources, and which processes are to be per- 
mitted to have them, is highly dependent on the level of 
abstraction with which the system is being managed. Until 
recentiy resources were defined primarily in terms of their 
mapping onto an implementation. The introduction of multi- 
programming, and the concepts of virtual machines and 
virtual address spaces, have begun to separate what the 
process manipulates from the resources the implementer 
manipulates. Pnysical resources such as space are manipu- 
lated by the implementor, and logical resources such as 


files are manipulated by the logical processes. 
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Some systems are beginning to permit processes to 
manipulate resources, In "Venus" (LL71) cooperative re- 
source management is used. In "Multics" (Or72), programs 
and information can be shared freely at the will of the 
user, In "ESOPE" (BB69) a set of rescurees is allocated 
Mme oer, ana lt is Up to the set of user processes 
to share them. Gaines (Ga71) limits a child to a subset 
of its parents! resources, as does the RC 4000 (Ha7la) 
system, 

With the advent of suballocation of resources, 
theoretical work on the protection of iLopicai objects be- 
comes much more important. Vanderbilt (Va69) controls 
aceess to shared items by executing» certainrwobjects with- 
in a data structure language he has developed. Lampson 
(La69, 71) is interested both in the theories of protec- 
tion and in implementation problems such as "how can in- 
formation which specifies protection and authorizes access, 
itsel? be protected and manipulated?" His theory suggests 
that objects be named by capabilities, access be granted 
to these objects by keys. A process then can be con- 
sidered to execute in a domain (group of capabilities), 
and entry between domains can be protected by "gates" thus 
giving a process different powers in different domains. 
Graham (Gr7la) extends this work, and discusses the pro- 


blem in relation to "Sue." Conway (CM72) suggests another 
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implementation model where the matrix elements "are deci- 
sion rules." He makes a distinction between date depend- 
ent and data independent rules which can be exploited by 
checking the data independent security once at translation 
time and then checking only the data dependent security at 
=eutlon time, 

The protection of objects is imperative, and any 
general Jogical system must provide some technique for 
doing this. A decision must be made as to which objects 
e ODC protected, the means of protecting each, and 
tne rights of the owners of such protected objects. A 
design cannot be considered as properly supporting unco- 
operative processes unless protection is provided for all 
interactions, 

Cooperative Management of Uncooperative Processes: 
Most systems today iack a general mechanism, which the 
Process can invoke, for handling uncooperative processes, 
particularly when the process to be controlled may exist 
in some other system in a network. To be able to do this, 
mechanisms must be provided to allow for accountable re- 
source allocation and for control (possibly remote) of 
interprocess interactions. Recently there have been 
several logical system designs which have partial solu- 
Plans to some of these problems, but they are too special- 


ized to satisfy all of the requirements (processes which 
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must shave address space to interact, cannot be completely 
isolated). 

The definition of uncooperative behavior between 
interacting processes is only possible from the point of 
view of the authority over such processes, Several de-- 
signers have included process hierarchies in their systems 
which permits a process to control its own subprocesses. 

since the difference between operating SyS- 

tems and production programs is one of juris- 

diction only, this problem is solved by ar- 

PO the internal processes in a. hlerarchy 

in which parent processes have complete con- 

trol over child processes. (Ha70) 
mecna ld can only be created, started, stopped, and removed 
oy a parent who supplies the resources and gets them back 
haem the child is removed, 

Gaines (Ga71) is interested in "what happens if a 
process deraiis," and TENEX (BB71) has an "inverted tree 
defined by the capability for direct control and killing." 
"Although not completely general, a tree structure process 
hierarchy implicitly provides the protection and reference 
facilities that are wanted in most applications." One of 
the design goals of TENEX was that "the system should en- 
courage and facilitate cooperation among users as well as 
provide protection against undesirable interactions." 
There are three areas which might be considered deficien- 


cies if this system was to be considered as a network 


Structure. First, processes are permitted to communicate 


are o 
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via shared memory, which is difficult if the hierarchy is 
distributed over nodes of the network. Second, each "Joh" 
mera Separate hierarchy, thus 1imitingssome of the general 
interprocess cooperation which might be desirable. Third, 
Mie system does not provide for logiealuresceurces to be 
allocated down a hierarchy with guaranteed protection. 

heetabllityiee, IT useful portability is to be possi- 
ble, each system must maintain a strict separation of logi- 
cal and physical resources, and the logical system that a 
Meer sees Should remain invariant over moves to different 
Physical systems. Landin (La66) says "The physical/logical 
terminology is often used to distinguish features that are 
a fortuivous consequence of physical conditions from fea-- 
tures that are in some sense more essential." Given any 
specific logical structure to implement, the implementer 
usually has many ways to do it. The fact that the physi- 
eal system is effectively finite usually requires certain 
constraints in the logical processes. For example, "THE" 
(Di68) requires all processes sharing system resources to 
state, before the request is made, what their maximum 
De der Toxzeach-typezuil] bes 

Mebouewawilchin the concept of a virtual processor, 
Poel omecainou directly control many ofthe physical resources, 
virtual processors as currently used do not solve the prob- 


lems of portability because the virtual processor usually 
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has an extremely close relationship to the physical pro- 
cessor on which it is implemented. Recently several sys- 
tems have been implemented using a layered hierarchy of 
systems or "onion skin" structure. Portability is then 
achieved by designing a logical structure at the user's 
interface and then implementing this structure as a lay- 
ered hierarchy cf more abstract virtual machines with the 
Sueeringec Layer being the logical syatem the user sees. 
Ec” EOGOS uses this structure (Bp72, G172a, b, HR72, 
RB72). “The concept of a layered hierarchy of machines 
is consistent with some current trends in system archi- 
tecture and applies to both hardware and software of a 
System. Thus the hardware/software split can be postponec 
in theedesign process, allowing greater flexibility of 
implementation." Several systems have used this technique 
in their implementations ("TIE" and "Venus"). The design 
of a logical network which is abstracted from any particu- 
lar machine permits different network facilities to imple- 
ment the design using any desired number of hierarchies 
oT systems. Using this technique, the implementer may 
find that it is only the lovest levels of the hierarchy 
which need redefining. Regardiess of what the facility 
Imprementer must do to provid’ the system, the user will 
see the same basic logical structure when the system is 


finally implemented. 
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Problem Statement 

Any general but useful design for networks of digi- 
tal computers must solve the problems of network managea- 
Mty, generality”, and portability. The network designer 
must determine which decisions should be built into tne 
desien, and which should bs delegated to the users or the 
implementers to make at a later time. The more decisions 
Built into a network design, the less adaptable the net- 
work will become and the less freedom the user will have 
to create optimal process relationships. A solution, 
Witch does not result in arbitrary or unnecessary con- 
straints on the network users or implementers, is to de- 
Pomel the system itself, only the choices necessary 
to permit the network designer to delegate all other de- 
cisions to either the users or the implementers. 

The System designed in this thesis, provides suffi- 
cerent factorization Of responsibilities and delegation of 
authority to control the behavior of the processes running 
in the network, to permit the development of a network 
which sacisfies the following postulated constraints. 

l. The designed network must consist of a set of 
interacting bounded programmable digital computer systems 
with well-defined processes, and be open to communication 
with foreign systems having undefined processes. 


2. Responsibility for meeting the postulated 
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design constraints and the design decisions must be fac- 
tored between the network, implementation, and process de- 
Meners, 

3. Each designer must have sufficient authority to 
dan rol the eiiects, on the processes running in the 
Meuyork, of the interactions for which that designer has 
been delegated responsibility. 

l. Although processes must be permitted to dele- 
gate to other processes their authority to control process 
interactions, the delegating process always retains re- 
sporsibility for that interaction and the authority to 
contro. the process to which it was delegated, 

5. The network definition must provide for modifi- 
cation of its definition. The design must provide suffi- 
cient constraints to be able to delegate safely to process 
designers all modification decisions and authority to con- 
trol the effects of such decisions on the processes in the 
network. 

The postulated constraints must always be satisfied 
when design decisions are made in this thesis. Those de- 
Sign decisions influenced by the postulated constraints 
must be shown to provide the greatest generality consist- 
emus bh the postulated and derived constraints. Those 
decisions which are not directly influenced by the con- 


straints need only be made subject to good, but informal, 
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design concepts, 

Chapter 2 ofthis thesis eontalns tner development 
mea seu om conecraints@withim whieh whe network deci- 
cions will be made, The postulated constraints are moti- 
vated first, and then additional constraints, which follow 
Girecciy from them, ane developed. The third chapter de- 
velops and informally defines the network design consist- 
nach. the constraints developed in Chapter 2. Chapter 
4 uses the network structures to describe several other 
representative systems, discusses botn the implications 
E nS work, and of other work being done in parallel 
with this thesis, and describes some of the areas which 
deserve future research. A formal definition of the de- 


w ned network is given in Appendix C. 





Once a Sacvisiactory set of criteria 
and postulates has been formulated, then 
one may deduce, rather than design, the 
structure of a computer (Van Horn, Va66, 
Pe AA 


CHAPTER 2 


NONCOOPERATION - THE SOLUTION 


Introduction 

The previous chapter described some of the problem 
ereas a550clated with current networks and systems, along 
with some of the present apprcaches to solving tnose prob- 
lems. This chapter will develop a set of design cone 
Steraints sufficient to allow the solution of network man- 
agement problems arising from the inclusion of general 
Control Structures, potentially uncooperative processes, 
and portability of user processes and the design itself. 
The problem of process noncooperation will be looked at 
Prtetly .; and the postulated constraints will be motivated. 
Additional constraints, which define the delegation cf 
authority to control certain process interactions, will 
be developed from the postulated constraints. 

A solution to the problem of process noncooperation 
is necessary if a network designer is to be able to give 
BPere2szdesioners responsibility and authority to control 


the processes in the network. A direct approach to the 








32 

DR ocnem Of proccss noncooperavion™!s difMieuTt because 
there is no objective point of view from which to decide 
pie norncooperatión exists. What"is"consikdereü coopera- 
meee by One process designer, might be considered uncocp- 
Seevrve y another. A final Judgment, by definition, can 
only be made by the proper authority, which might exist 
as a single designer or cooperatively as joint designers. 
Three levels of authority exist in most computer systems 
today: user, operating system, and implementation. One 
Cie” major Pro riéms, usually encountered in current sys- 
tems, is the lack of a clear factorization, between these 
three groups, of the responsibility for the control oi 
process behavior and authority to do so. Operating sys- 
tem and implementation designers (commonly indistinguish~ 
able) often know very little about what the user intended 
aprocess to dó, and tierererewcanmmonly make general as- 
sumptions about it when trying to manage its ee 

It is unlikely that the network designer will ever 
know ali viewpoints from which to Judpe process noncooper- 
ation since this would require complete knowledge of what 
all users of the network were logically trying to accom- 
plash. Analysis, by the network designer, of process non- 
cooperation would only lead to nonformal systems and a 
Philosophical discussion. The network designer should not 


make arbitrary decisions for the user by decreeing which 
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process actions are to be considered cooperative and which 
are not, but should provide services to the appropriate 
eeene responsible for thatwprocess to make the decision. 

The key to the problem of process noncooperation 
is that there must be at least two interacting parties be- 
fore cooperation or lack of it can have any meaning. It 
takes at least two marching soldiers before they can be 
out of step. The one declared out of stsp is cleariy not 
the ranking authority unless it was a cooperative self 
Geclaration because of incompetence, If all interactions 
in the network can be recognized, and a Safe means pro- 
vided by which they can be controlieä, the network de- 
signer can delegate responsibility and authority for the 
management of such interactions to other agents. A logi- 
Gee state structure; as distinct froma" physical imple- 
Memeatwon of it must be imposed on the processes along 
with the definition of appropriate transformations on 
Giese states ,ssomthat sehe veffeets of ell process opera- 
tiens are known. If the scope of the effects of a pro- 
cesses! potential noncooperation is well-defined, respon- 
sibility for process noncooperation can be delegated to 
the processes concerned. (Well-defined: Something is 
considered well defined if it has been formally defined 
and the definition holds over all systems in the network. ) 


If process designers are to be delegated the 
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meaeouSsibalivy for controlling process noncooperation, me- 
ehanisms must be provided within the network design for 
the control of process interactions through which the 
effects of noncooperation can be transmitted. As systems 
became more complex, more than one dimension of responsi- 
nity and authority for the control of processes devel- 
oped. Users cf early computers had complete control of 
the machine and hence were completely responsible for their 
Peecesses, but as systems became more complex, the user was 
no longer uniquely responsibie for what was happening. 

For each interaction between processes, a proper 
partitioning would designate a responsible agent who could 
Feen ve given authority to control that interaction. In- 
teractions between processes can occur because of the 
= C ence of a process, the logical expectations of a pro- 
cess, and interprocess communication. 

The existence of a process may cause interactions 
with other processes because the implementation must use 
seine Of its limited physical resources to represent it. 
The birth of a new process or death of an old one can pos- 
sibly cause interactions because of limited rights to cre- 
TO Ore llas process, the use of.objectsmborrowed from 
Bucher processes, or the use of some of the physical pro- 
er ser lime auna the. operation: ya interactions might also 


occur if a process is able to manipulate the physical sys- 
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MONO serwaster service or more resources, generate in- 
callas tate. structures, om to change a microprogram which 
another process might need to use. 

Interactions due to the logical expectations of one 
Precess with respect to the behavior of another process 
make up a second category of potential sources of nonctoop- 
PBratjion, Scheduling expectations might include not doing 
what another process wants, doing things in the wrong or- 
Bor not giving contro] back. A processes! management 
of resources might cause problems by not returning re- 
Beurees, allocating them Improperly, not accounting- for 
what nas been done with them, and changing or destroying 
them. 

Finally, <interprocess communication can be a po- 
tential source of noncooperation. A process might not be 
aoe tO ind out tre*stabus of another process if the 
other process is disregarding. inputs or not sending out- 
puts. Messages might be garbled or lost if input process- 
ing is tco slow. Shared address spaces might permit im- 
proper state changes, modifying or destroying commonly 
addressed objects, as well as both logical and physical 
race problems with respect to accessing common objects. 

Although the above examples are not complete, they 
do indicate some of the interactions which a network de- 


Sign must consider. The network designers and implementers 
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can be respensible for controlling. some of then, however 
the responsibility for the majority of them must be dele- 
gated to the process designers since in many situations 
only the user has the knowledge required to recognize un- 


Cooperative processes, 


Postulated Desirn Constraints 

There are five pestulated design constraints which 
are sufficient to permit a network to be designed which 
Can be used to provide a solution to network management 
problems. Each constraint will have a discussion follow- 
meen Which 15 intended to explain the terms used tn it 


and motivate why the constraint was included. 


Constraint Cl - The designed network must 


consist of a set of interacting bounded 

programinable digital computer systems with 

well-defined processes, and be open to com- 
munication with foreign systems having un- 

defined processes, 

Erunded = Hetorical syovem will Dereonsidered To 
be bounded if it defines the logical effects cf implemen- 
tation failures which may occur because the implementer 
has only a limited amount of physical resources of limited 
Aa Wien which to work. The logical system does 
not define when the implementation failures will occur; 
this can only be determined by an evaluation of each im- 


plementation and may in fact change with time. 


DE 


DAN 
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Walcot ined processes = A process willbe con- 
sidered well-defined if it has been formally defined and 
if the derinition holds over ail systems in the network. 

Foreign system - A system that interacts with the 
systems in the network and which is constrained by the 
BMecwork essigners only inethe natvwrewor these interac- 
tions. 

Undefined process - Any process which is not for- 
mally defined in the network. We can therefore make no 
assumptions about its behavior. 

Ihestirsr Cemstraint is invended to limit the 
scope of the network structures which will be developed 
in che next chapter. it should always be kept in mind 
that this is a genéral logical network design and as such 
makes no assumptions about the physical systems upon whicn 
it may be implemented. With the advent of networks, any 
‚general system design must consider the possibility that 
the processes residing in different systems may wish to 
interact. 

A design which is appropriate for a network of 
interconnected computer systems can be constrained to run 
on a single system, but it may mot be possible to extend 
a single system design to run on a network and still pro- 
dle satisteactory generality. The situation where the 


network provides little more than interconnection services 
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between systems, and each logical operating system is de- 
veloped separately, is aiso not satisfactory. The user, 
whose prccesses span several systems in the network, must 
design cach process to operate properly on its HOST sys- 
tem which may limit the computation's flexibility (TH72). 
This problem can be avoided if the design includes a net- 
work as a basic postulate and then includes process state 
structures and operations on these states which are as 
general as possible. By providing a common logical sys- 
tem design at each system in the network, the design per- 
mits the user to easily understand the network and the 
Peeececoces 10 Will support, It is a network design thes 
ls of interest in this thesis. 

Kinteracting"--Ihen looking at an arbitrary set of 
AS teme, 1t 1s convenient to be abl& to say whether or not 
member of the set is also a member of the network. 
Only systems which interact with other systems of the net- 
work can be candidates for membership in the network. If 
a system does not interact with a system in the network 
tecweto Ss moron interest in this thesis. Foreign sys- 
tei e MOU COM Lasred vO be members of the network, 

"Bounded" systems must be included in the design 
in recognition of the fact that the physical implementa- 
POr ati practical purposes, have access to only 


limited physical resources. The network design must 
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Ec ocn a aeh facte, and properly designate responsibility 
Mene process interactions which can occur due to it, 

"Proprammable"--If the design were not restricted 
Loe programmable computer systems, several networks could 
be designed which might not be considered general. Sys~- 
tems which exhibit totally built ín reflexes (not pro- 
grammable by the user), such as airline reservation sys- 
tems, although interesting, have a design which could not 
be easily extended to a network where the users are de- 
De many of the processes. On the other hand, a design 
moyıdınzs for user programmablie systems, could be vsz lo 
implement the reflex system. 

"Digital computer" systems have several properties 
which make them nice to study. The design problems they 
present should be solved before looking at more complex 
networks. Although the formal definition of "digital sys- 
bene being used in this thesis can be found in FH71 and 
JONS one essential concepts will be introduced here in- 
formally. It is important to recognize that there is a 
distinction between a single digital system and a network 
Of interacting digital systems. A digital system has 
three primary parts: a set of components which hold in- 
formation; a set of devices which are capable of perform- 
o rans cormations on Che- information stored in those 


components; and a set of communication "channels." 
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The "system processor" is that part cf the digital 
system which perforins the transformations and is itself 
Snvariant with time. It may contain one or more operators 
which carry out transformations on process states. Each 
Geeracor is applied as follows. All operators which are 
to be executed during the present system cycle are applied 
in parallel at the beginning of the system cycle and then 
proceed asynchronously. The next system cycle does not 
commence until all operators have completed and the system 
has again reached a defined state, 

A "system process" is an initial instantaneous des~ 

cription of the whole state cf the system, followed by all 
of those states reached by repetitive application of the 
system processor. The system state may contain a set of 
one or more process states which represent different parts 
of the system state (for example, user process states). 
A "process" within a digital system can thus be dsfined 
by its initial process state and the sequence of process 
states reached as the system processor operators are ap- 
pired to it. 

Each digital system in a network has a system state 
ana system processor which perform the transformations on 
that state. Each system processor proceeds at its own 
pace through its interpretation sequence, without any con- 


Sideration of the speed at which the other members of the 
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set are proceeding. Because there is no synchronization 
between different systems, there must be a clear under- 
standing of intersystem communication. Each system pro- 
ceeds as follows. If messages are generated during the 
mepeecavion Ol the system processor, they are collected 
ema set, and when the system processor completes its cy- 
ele they are transmitted to the other systems. After 
transmitting the messages, the system updates its own 
state with the messages that have arrived since the pre- 
vious update and the next cycle begins. Incoming mes- 
sages are buffered between updates since (in a digital 
system) they must not influence the interpretation during 
We -evoplicatior of the system processor. This is closely 
analogous to tne ordinary concepts of intersystem inter- 
Pup LS. 

"Well-defined" processes are necessary before any 
assumptions can be made concerning their behavior. For 
example, the creation of a new user process state must be 
controlled so Icean be recognized as such by the system 
processor. Each process state may have several parts 
which must remain invariant, irrespective of what is hap- 
pening in that system or in any other system in the net- 
work. 

A network will be considered "open" if the pro- 


cesses, whem executing on one of the network systems, have 
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the ability to communicate messages to and receive mes- 
sages from forsien systems (using normal interprocess com- 
munication only). Although it would nave been possible to 
have considersd a closed network, where communication could 
Pemexciansea only between processes in the network, there 
would have been many interesting process interactions which 
would have been ruled out. Since it would be difficult far 
the network designer to be able to know how to interpret 
mie LOcicCal Structure of all future message interactions 
Wath foreign systems, this is left up to the process to do. 

The same mechanism will be used for communication 
with foreign systems as is used for interprocess messages 
Meeweel processes in the network. As a result, no special 
structures will have to be provided by the network design- 
er, to service these external interactions. Even though 
foreign systems will not be formally defined in the network 
and therefore nothing can be said about the behavior of 
Mocixy Processess as Jong as the communication operators 
a etormaliyrgerined, and appropriate constraints placed 
Om vheir e€fiects on the network systems, the network pro- 
cesses can stt11 remaín formally defined. Since the net- 
work designers have no authority over the design of for- 
reams vovems. Chey must Localize the potential effects of 
Brscesszmvreractions with Such systems. By restricting 


such interactions to messages to and from a process in the 
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network, potential interactions are limited to that pro- 
cess. The network design must only ensure that such mes- 
ee LVeracywons are possible, and that The processes 
have control over the receipt and interpretation of such 
messages. 

Constraint C2 - Responsibility for meeting 

The postulated design constraints and de- 

sien decisions must be factored between 

Me MEROS Implementation; and process 

designers, 

Toes Ties Ss las only those interactions, for 
Mone one of these three designers may be held responsible, 
that will be discussed. Although other designers (manage- 
ments) may exist in a network and may be important, they 
are not of interest here. In order for the network to be 
Manageable, there must be no conflicts of authority or 
improper assignment of responsibility. For these three 
designers there must be a partitioning of responsibility 
which is disjoint in time. The network designer influences 
process interactions by the features included in the de- 
sign, the implementation designer influences process be~ 
havior by the physical resources chosen with which the de- 
Sign is implemented,.and the process designer is- responsi- 
bie for controlling process behavior by the features chosen 


vich uhich to define-it. 


e eataa on Of lorlcal and physical resources 
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Meme 1 some Ss cc cems Today is part of such factorization. 
Tne physical resottrces are managed by the implementation. 
Lopical processes make requests to use certain resources, 
DUENE mapping fren logical to physical is not necessari- 
ie = tw Sinte nov all implementations in a network will 
eme under one management, the network design provides the 
common interface between the implementers and the process 
G@eatpiers. IT pesvonsibility is clearly factored, each 
designer can solve its ovn management problems in a lo- 
cally optimal manner. The development of more complex 
ven ana vise distribution of a set of processes over 
a network make it ¿imperativo that the responsibilities of 
Mee PeuwOork g 2iiplemencetlicn, and proeess designers be 
clearly stated. Identification of these responsibilities 
will permit the network designer to introduce appropriate 
Mechanisms so each responsible agent can fulfill its re- 
Sponsibiliicses 

Of primary interest here are the process state 

structures ana system processor operators necessary for 
the process and network designers to do their job. Al- 
though the implementation of the network design on par- 
Peller arechitecuures will require much design work, no 
assumptions will be made here about the way the physical 
implementers will solve their problems. Until there is 


a network design to implement, questions concerning im- 
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plementation are only secondary. 

Constraint C2 requires that responsibility for meet- 
mie une postulated design constraints and design decisions, 
including the interactions mentioned earlier, be assigned 
wne oi the three designers, Within the network, each 
implementation management must be free to manage the re- 
sources it is using to implement the network. Therefore 
it must have responsibility for such resources so it can 
meet its own optimization criteria, If users are to be 
permitted to construct interesting and useful process re- 
MON ENnips, process designers must be assigned responsi- 
bility for the definition of these processes. The network 
Geet must, of course, define the interfaces between each 
Ot the other designs, and therefore must have responsibil- 
ity for providing a well-defined interface and for con- 
trolling interactions between the other designs. 

Constraint C3 - Each desirner must have suf- 

nO Unity CO control the effects, on 

ee processer Unnine in the network; Of the 

interactions for which that designer- has been 

delegatied responsibility. 

espana iba toy for controllime tne effects of 
process interactions is fectored between network, imple- 
mentation, and process designers, then each designer must 
define and control uncooperative process interactions. 


pace noneooperation is a point of view, only the re- 
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sponsible arent can determine when some action is uncoop- 
paul Vew it Was pointed out earlier that process noncoop- 
eration gan be controlled only by restricting the effects 
of the various interactions through which it can occur. 
Beem or tne three designers, therefore, must be given such 
authority to restrict the effects of the interactions for 
which it is responsible. Only then can each designer im- 
peement a Local control of cooperation or lack of it. 

Although constraint C2 requires that responsibility 
Mermiacvorecd between the Three designers, nothing would 
have been soived without the addition of constraint C3. 
Responsibility to control process interacticns without 
the associated authority to carry out those responsibili- 
ties would be meaningless. The network design must in- 
de sufficient logical process state structures and 
system processor operators for a desipnated responsible 
agent to control those interactions which the design has 
defined as its responsibilities. Responsibility and 
authority must both reside with the same arent. 

Constraint C4 - Although processes must be 

POr TOE N O Celerpadue vO ObuNer processes 

Pcie GO rl iil OmCOMe rola processuinter-— 

actions, the delerating process always re- 

calme responsibility. form that interaction 

and the authority to control the process 


to which it was delegated. 


this constraint must be postulated if process de- 
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eıenerssare to have tne flexibiiity to do their job. The 
Brent is not to design a process ¿independent system, but 
Just the opposite. The design should permit the user to 
aefine multiprocess computations which are highly process 
dependent. Several recent system designs include such a 
service to the users (TENEX, RC4000). 

The question of whether or not a given process de- 
Signer shcula make use of multiprocess computations does 
Mee Delonge here, although it is not difficult to think of 
examples where doing so makes design of process behavior 
much simpler. A simple example would be a logical operat- 
ing system which has three primary processes running under 
it (time sharing, batch, and utility). The operating sys- 
ieamegesarncr mighy want to have one process, which retains 
ultimate authority, to arbitrate conflicts between the 
Giner three precesses,; but to delegate the authority to 
make local decisions to the three children. 

The dellvery of maximum freedom to user processes 
Vor manase ovher Local processes, requires that they be con- 
sidered as submanapers and given corresponding authority 
to control process behavior necessary to fulfill their 
responsibilities. Process submanagers should be able to 
construct their computations as multiple interacting pro- 
cesses and be able to delegate some of their authority to 


Subprocesses over which they retain ultimate responsibility 
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ana authority. The user can then create various operat- 
w av iconmenos Tor sets of subprocesses in a hierarchy 
of user defined operating systems. Instead of reauiring 
one process tc make all decisions according to a peneral 
Mieorichm, authority can be passed to other processes to 
make che gecisions in a locally optimal manner. Con- 
straint C4 is intended to force the network designer to 
include the acility for processes to delegate responsi- 
bility and authority. A clear designation will have to be 
made as to which responsibilities the network designer 
Will delegate to the process designers, 

Constraint C5 - The network definition 

must provide for modification of its def- 

inition. The design must provide suffi- 

cient constraints to be able to delegate 

safely to process desifners all modifica- 

Con decisions and authorlcy to control 

the effects of such decisions on the 

processes, 

MYRDE desir ny which is to survive over a 
period of time, must recognize the fact that changes will 
be necessary. Additional systems may be added to the net- 
work or new process state structures may develop. Con- 
straint C5 requires the final network design to define 
what types of network evolutions will be permitted, along 
with the environments in which they may take place and 


under what constraints. If these evolutionary processes 


Vememioe sO CcOnstrained, an Implementation designer could 
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never know thatethe implementation was valid. 

Process designer support is the whole reason for 
Bay cOmputer system design. It would be inconsistent te 


give process designers responsibilities for some int 


(D 


race 
tion and then permit the network to be modified and effect 
that interaction without the "consent" of that designer. 
If the network is to support well-defined processes as rs- 
Aira DY constraint Cl, process designers must make the 
feerstons as to whether or not some moailficaticn will cause 
Beme of thelr processes to misbehave. Impiicit in this 
ac racno 1s the fact that, because of the three way fac- 
toring of responsibility for controlling process interac- 
Pons, wiere Will be some interactions which will be the 
eponsinllity of the network and implementation designers 
and thererore should not be available to the process de- 
Signers. The control that process desipner has over the 
effects of network definition modifications will be deter- 
mined by the factoring of responsibility required by con- 


Serarnt C2. 


Delegation of Authority Constraints 

The previous section introduced the design con- 
dants chat are being postulated in this thesis. The 
remainder of this chapter will develop some additional 


constraints which follow from the postulated constraints. 
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This section looks at some autnority celegration constraints 
Ein primarily from C2 and C3. 

Deleration Constraint Dl ~ Responsibility for 

een averactaoneand authority to control it 

must be unlauely assigned to the same designer. 

discos tramo olows daisectly from C2 and C3. 
MronOucgh a0 1s implicit in the previous constraints, it 
should be clearly stated as a constraint so the network 
Wes ener makes such a unique designation when a choice 
exists. If a designer is designated as responsible for 
eont trolling an interaction, it would not be consistent to 
Permit another agent to alsc have control over it. The 
responsible agent viould no tonger be responsible and con- 
Straint C2 would be violated. A designer with authority 
to control an interaction must be able to act on its own 
initiative, subject only to its design constraints. 

A constraint Similar to Dl is necessary in any de=- 
sign that is to produce a manageable system. Each desipn- 
er must be able to solve its problems in any locally op- 
tonal Manner. ew. thowee fear that some other designer is 
also competitively controlling that same interaction with 
Belleınzseontiiet Of authorities. If conflicts of author- 
Oo existed an e system, the system would no longer be 
guaranteed to be manageable unless there were an arbitrator 


Bzenizeozsertie che conflict. If such an authority does 





exo then il Tee the wiique authority this constraint 
Says must exist. 

The recognition that this constraint exists, pro- 
vides the network designer the freedom to delegate to the 
San r designers the responsibility for solving fheir own 
problems. Once an interaction is designated as being the 
esponsibility of one of the three» groups of designers, 
mechanisms can be provided to permit those designers to 
solve their problems. The network design does not have 
Gommakemarbitrary ehodces of algorithms to solve particu- 
ar problems, but can defer the choice of which algorithm 
Ruse tG.the avpropriatesdesigner. Unique assignment of 
authority permits the designer to delegate the maximum 
humber of responsibilities to the facility and process 
designers. This results in a simplified network design 
voen stiil fulfills the responsibilities of the network 
designers. 

Delegation Constraint D2 - Network designers 

are responsible er ensuring that the network 


Moms lieprOcCectanm, meels the constraints, and 
is formally defined. 





Constraint De follows directly from the second 
postulated constraint requiring that responsibility for 
Ie raculonsapbe assigned to one of three designers. The 
network design provides the interface between the process 


and implementation managements. The remainder of this 
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NO 


pes iS wits detine this interface, 

seli-protecting - A network is self-protecting if 
Maere are zufticient eonstraints on the freedoms of future 
designers (implementation and process) so their actions 
Eemot affect the network in any way which would cause it 
envi oli a any of che eonstraints or design decisions. 

me tne desipn vers not made self-protecting, con- 
ein? Vrolatine Interactions might occur between the 
process and implementation designers. If all implementa- 
tion designers were under one authority, or ir all pro- 
G@eases were known to be cooperative, then the protection 
responsibility could be delegated to them. Since we can- 
Mas sine elther of these situations to be true, the oniy 
Gemmon Qesimer in all cases is the network designer. The 
network designer thus is the only agent capable of ful- 
filling this need. A need for network self-protection 
exists if the processes are to be well-defined. 

Ensuring that the network design meets the con- 
straints is an obvious requirement of the network design- 
er. The process and implementation designers cannot be 
mela responsible for this requirement since neither one 
of them has enough global information to know if the net- 
Wom. meevs Che constraints or not. 

Formally defining the network must be a responsi- 


bility of the network designers since they are responsible 
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Pere une deslen in the first place. A formal definition is 
required if the network designers are to expect it to be 
Maemo. fuovsly understood by the implementers end the network 
mers. dt must also be formaaly defined if the designer 


is to know thet it. satisfies the design constraints. 


Dasmieneccnstraint D3 = The implementation 
eslipners ara responsibls for the design, 
construction, aná maintenance of an opti- 


mai eguivalent system: 





An equivalent System is one in which the processes 
are isomorphic to the processes as formally defined. Con- 
stralnt De recognizes that the network willl be implemented 
and that, according to constraint C2, some agent must be 
held responsibie for the implementation. Each implementa- 
tion designer is uniquely capable of determining what the 
optimal implementation at that facility will ve. Only 
tne implementation designer knows what physical resources 
Meempresent or can be obtained at that facility. Each im- 
plementer must first design an equivalent system according 
wemtts OWN management constraints, then construct such an 
equivalent system, and finally maintain that equivalent 
system. 

This constraint permits the local designers to con- 
tinue to optimize their local implementations since they 


have complete responsibility for the equivalent implementa- 





tion designer from moving an implemencation to another 
physical machine or making modification to the current im- 
plementation. As long as the implementation remains equiv- 
alent, the local implementation desipner is free to make 
any changes in the implementation desmed desirable. 

the success that a network achieves in exploiting 
Pies delegation, ol responsibility and authority to the 
implementation designer, will be highly dependent on the 
Rervicular design chosen. it is particularly important 
that no one-to-one mappings be required between particular 
features of the logical network design and particular phy- 
sical resources which might be available. Note that this 
says one-toe-one mappings required by the design, One-toe 
ee mappinss which result by accident or the design of the 
implementers might be beneficial because of potentially in- 
Meeesead Cliaciency, and 1S a choice of the implementers 
though and within their authority. Today's system designs 
Olten depend on such mappings and tnis makes them costly 
to move. If the "impressive improvements in technology" 
that Withington (Wi72) predicts are to be beneficial, new 
logical designs must provide for economical movement be- 
tween facilities and between technology generations. Be- 
ASS OL the responsability delegation in this constraint, 
most of the interactions mentioned earlier which do not 


appear in the network as formally defined, will be the 
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responsibility of the Implementation designers who will 
have authority to control them in any way that optimizes 


their own goals. 


Delegation Constraint D4 ~ The process 


desipners are responsible for all vir- 
tual interprocess interaetions. 


Vol invemprocess interactions are those pro= 





cess interactions which would appear if the processes were 
Pera rün as formally defined, and do not include those 
additional interactions which might appear in the esquiva- 
lent implementations because the implementation designer 
ehose particular physical resources for his implementation. 
Constraint D4 follows from C2 and CH, The imple- 
mentatíion designers cannot be held responsible for virtual 
interprocess interactions since each implementation de- 
Signer may be under a differsnt management and none of 
the constraints prohibit interactions between processes 
residing in different network systems. The network de- 
Signers cannot be responsible for all virtual interpro- 
cess interactions because they cannot hope to know what 
all processes will be designed to do. The only designer 
remaining is the process designer.” Even if it were not 
Ion ura nvenaten is implicit in the postulated con- 
straints, delegating to process designers the responsi- 
bility for all virtual interprocess interations would be 


desirable from a point of view of generality. 
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COn 


Deieration Constraint D5 ~ If an implementa- 

tion designer has an unsolvable nvroblem due 

to boundedness which effects the processes 

Tice Mem Ores Cie set lect “One che process 

state structure must be well-defined so the 

processats teners can ameltorace the const= 

quences, . 

Ii eon {tieac postulated constraint had not included 
bounded systems, constraint D5 could have been glossed 
Over by adding a statement, in the design, that the imple- 
mentation designers weuld always do the best they could. 
This would have required implementation dependent process 
transformations without e common definition of the effect 
of such "failures" on the formal definition of the network. 

Implementation "failures" are solely the responsi- 
bility of each implementation designer under D3, as long 
as they do not effect the virtual processes. When the 
implementation designer declares that a process has hit a 
bound (an implementation "failure" has occurred which the 
implementation designer declared will affect that process 
state), the "failure" is no longer solely the implementa- 
tion designer's problem. If the solution were left up to 
each implementation designer, each solution might be dif- 
ferent and the processes might no longer be well-defined. 
Since constraint Cl permits a process to delegate to other 
processes authority to control certain interactions, the 


process which hits the bound may not be responsible for 


the problem. The implementation and network desipners may 
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not have sufficient knowledge to decide what action to 
also Te ameltorate the problem, only the process designers 
may have the information necessary to do it. The flexi- 
bility that a procsss designer has to Go so, will be high- 
ly dependent on the features included es design choices 
Hee a point of view of generality. Constraint D5 is 
intended to force the network desipner to include suffi- 
cient features in the design. 

Delesation Constraint D6 ~ Network designers 

ars responsible for the initial definition of 

the network and implicitly for all evolution-~ 

ary paths. Implementation desipners are re- 

sponsibie for the implementation of the initial 

definition and for any potential evolutionary 

path. Process designers are responsible for 


sclectameuwhich evolutionary paths will be 
followed, 





RespenssbiLity must be LTactored between the three 
designers (C2) and network modification must be permitted 
(C5), therefore a delegation constraint must be develope 
assigning responsibility for network evolution. The net- 
work designer is the only one cf the three designers whicn 
can properly be assigned responsibility for defining 
don es in the initial definition, De requires that net- 
work designers be responsible for ensuring the network is 
Pei provecuine. Mesvs [he constraints, and is formally 
defined. MTnis constraint extends C2 to include responsi- 


bility for all potential network evolution, and requires 
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Prat the initial network definition also define all poten- 
tial evolutionary paths. When the implementation design- 
er's responsibilities in D3 are extended to include the 
implementation of modified definitions, it is imperative 
that such designer be able to determine if the implementa- 
Peer will be able to support such modifications before it 
claims ič has implemented the network. In order for an im 
plementation designer to be able to make such a determina- 


10 Li, potential pati o 2 voluti mu 2 de- 
Don; al Stentlal.natns Of network evolution must be de 


Im 


mine as part of the initial network. 

1t. is possible to factor the remaining evolutionary 
responsibilities petween the two remaining designers. An 
implementation desipner must support the initial network 
and all potential evolutions if it accepts the network. 
This must be so since the implementation designer is the 
only designer which can be responsible for implementing 
such changes. 

Process designers must be delegated the responsi- 

Pelivcy for determining which path to take. The network 
designers fulfill their responsibilities when they define 
the initial network and all potential evolutionary paths. 
pte mnentacion"*aesigasrs tulgill their responsibilities 
on Lacy inpremen. the Initial system, inciuding modifi-~ 
cation operations for all potential evolutions as defined 


by the network designers. The process designer is free to 


SS 


o 
7 

= oo 
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Choose the particular path of evolution that it wants t 


© 


Mase. Under C5, process designers are the only designers 
which can evaluate tne potential effects of such modifica- 
tion on the processes, D4 delegates process designers as 
responsible for virtual process interactions. Since modif- 
ication of the network may cause virtual process inter- 
actions (processes may behave differently after a modifica- 
tion than before), the process designers must choose the 
modification to be done. Neither the network nor the im- 
plementation designers have sufficient knowledge to decide 
which modifications to make. It is possible to delegate the 
auchority to process designers to choose the path, since it 
ís the network designer which designs the operators that 
process designers wili cause to be executed. The network 
designer must ensure that any choice of modification oper- 


ators will always be a permissible one. 


implementation Designer Constraints 

DSen ecto is imeludeo primarily for completeness, 
Since it is not the intention of this thesis to look at im- 
plementation problems nor to constrainxythe implementation 
Beseeners more’ than necessary, the constraints dealing with 
equivalent system implementation, modification, and bounded- 
ness are sufficient for our purposes. Each particular im- 


plementation designer will have to develop further imple- 
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mentation constraints when designing an equlvalent systen. 
responsibility and authority for meeting the constraints 
aná design decisions has been factored and future imple- 
mentation designers will be responsible for this part of 
the design. The remainder of the chapter will look at 


further constraints on the process and network designers. 


Process Designer Constraints 





(ies section Will took et some of the constraints 
whcn must be placed on process designers to ensure that 


their actions remain within the postulated constraints. 


process Constraint Bl + Processes must be 


arranged in a tree structure defining their 

hierarchy of responsibility over descendent 

processes. 

The network design must permit processes to delc- 
Pere LO other processes their authority to control process 
interactions. The delegating process always retains re- 
Mentor oliivy Tor that interaction and authority to control 
the process to which it was delegated (C4). There are 
many interactions over which process designers have author- 
ity (D4, D5). The possible process interactions mentioned 
eariier included such things as birth and death, allocation 
Ao ETC resources, and logical expectations. 

Implicit in constraint C4 is a hlerarchy of proces- 


Sea wile Gdeégines their relationship with respect to re- 


Memos DOLliLy mama authority for controlling other processes. 
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Each process in the hierarchy will be held responsible for 
meen eehavlor vg processes above it, even while delegating 
authority to processes belov, nere appears to be two 
alternative ways that such a hierarchy could exist. It 
Gould be as a general graph structure with the various 
threads being the different responsibilities and authori- 
fees, Or the more restrictive form of a tree structure with 
the threads of responsibility defining the tree. 

PSU, any particular Chain of responsibility and 
authority cannot be permitted to double back on itself if 
the network is to guarantee well-defined processes. The 
concept of having authority over someone who has author- 
Io ver you is incongruous. “lf it werd permitted, the 
Hepwor. weula have to arbitrate conflicts; which it can- 
not do because it dees not have sufficient knowledge of 
what the processes are trying to accomplish. The only 
alternative is to have a non-intersecting thread of re- 
sponsibility. 

This restricted graph would still permit there to 
be more than one process responsible for another procsss. 
If one process has more than one process responsible for 
its behavior, it would be impossible to ensure that there 
would never be any conflicts of interest between these 
authorities. When one of the responsible processes exe- 


cuted its authority, it might affect the process, for 
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which it is sharing responsibility, in a way which would 
arfect the interactions over which the other process has 
woi. Such conflicts of authority would require 
arbitration wnich cannot be allowed if processes are to 
be well-defined. 

The remaining alternative is to permit processes 
mee be related only in a tree structure defined by their 
responsibility and authority over descendent processes. 
se there is at most one immediate responsible agent, 
it can have complete and unique authority over the pro- 
do oos for which 10 is responsible. Although this is a 
canstraint on process behavior, it produces significant 
freedom for the network designer because there is no need 
to De concerned over whether or not a process has a cer- 
tain authority over another process. The designer must 
only be®eoncerned with providing mechanisms which a parent 
process can use to exercise its authority over a child 
process, and not be concerned about the merits of the use 
O such an- authority. 

Process Constraint P2 - A unique root 

process must exist representing overall 

Peces management., 

Constraint D4 points out that it must be the pro- 


dessraesie2ners which control all virtual process interac- 


tions. The previous constraint points out that process 
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muvumoraty and responsibilities exist In the shape of a 
tree, An extensicn of the above arguments Jeads to con- 
straint P2. If interactions between processes in differ- 
ent trees are to be permitted, then there must be an agent 
responsible for such interactions. Both trees must there 
fore be sub-trees of some common ancestor. It would be 
arbi Crary constraint on process behavior to say that 
two processes cannot interact if tney exist in different 
trees. Any such root process may produce sub--trees which 
it chooses to isolate and consider independent trees if 
Meotrea, This root process is this unique for all of the 
processes in the network. 

Peocess Constraint PB3.= No processor race 

conditions can be permitted to effect a 

process state transformation during that 

transformation. 

This is a direct consequence of Cl which says that 
the design must have well-defined processes. If the de= 
Sign did permit processor race conditions to exist within 
a process state transformation, the désign would no longer 
Savlvisiy constraint Cl. The actual mechanisms to be used 
POP Te vento such processor conditions from occurring are 
Dumerous, aná the ones chosen for a PERU Web a etic Ul Oia 
design may vary according to the influence of other de- 
Sign choices. This does not rule out the inevitable race 


conditions arising from the receipt of interprocess 
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messcdres DY a system processor. 


Process Constraint P4 - Operators available 


to process aesigners affect only the con- 
taining process state. 


If nonlocal process state transformations (trans- 
formations on process states other than the one That con- 
tained the operator that was executed) ware permitted, 
Senecrarie Cl CGoulo be violated, unless all such nonlocal 
meanslormacrion could be predicted, accounted for, and con- 
Peolled by a responsible arent. 

There are several reasons why these requirements 
would be extremely difficult to guarantee ín a network 
design. If nonlocal process transformations were per- 
ev ved. each implementation=designer mignt be forced to 
make sure they could not cause processor race conditions 
for the effected process state. Even if such interactions 
mere in general constrained to processes within the same 
Beton, the use of multiple physical processors might be 
foogeecult, It would also introduce an arbitrary con- 
Ural numomeprocesomdesipners. 

Such interprocess transformations, if permitted, 
would be a form of interprocess communication (in effect, 
Shared space). Equivalent behavior can be achieved by 
the process (which would have initiated the interaction) 


transmitting a message to the other process. The message 
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then could cause the desired transformation as an opera- 
tion local to the other process state. The final network 
Poe, i general enough, can provide these equivalent 
operations without the inherent overhead that would be 
required if nonlocal process state transformations were 


permitted. 


Mroe@ss Conetraint P5 = Multiple processes 


u nee ut EEE 


may be transformed in parallel. 








Constraint P6 is an obvious consequence of the first 
Postulated censtraint which says that the design is to cone 
Bst Of a network of digital computer systems. It would be 
Bmeons3stent to exzpect the network as a whole to operate 
sequentially. At a minimum, processes in different sys- 
tems must be permitted to execute in parallel. It is the 
responsibility of the network designers to define parallel 
vransformations, and allow process designers to determine 
whether or not to make use of this facility. It would be 
proper at this times though, to make constraint P5 any 
stronger. 

There is nothing in the postulated constraints 
which would force the design to include parallelism in 
Bach system in the network. Although this might appear 
Cesi irao alt must be included later asa design deci- 
on, Nere as a desipn constraint. 


Proeemssconstraine P6 = Distribution of 
processes over the network must be per- 
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mitted and each process state must be 
Dome lvysceontainea in, at most, one s 
tem at a time, 


ro 
ysa 


Constraint P6 is implicit in postulated constraint 


Cl. It would make no sense to have a network of systems 
and then restrict all processes to exist in the same sys- 
tem. Process designers should be able to choose how to 
distribute processes in the network, and constraint P6 
chat such a distribution is possible. 

A process would not be well-defined if it were 
Bontained in more Than one system at a Time since each 
system would proceed independently in parallel. There 
is no assumption made about the relative speeds of the 
systems in the network which means that nothing could be 
said about the ravidity with which the disjoint process 
Bares were proceeding. Since a process is a sequence of 
Process Staves, the process becomes not well-defined when 
more than one system is transforming it because the se- 
quence of process states would not be well-defined. Pro- 
cess designers are responsible for splitting a process 
into multiple processes so they can run on multiple sys- 
tens, 

Roces sp constraónt PBIzezTntervrocess communi- 

Caclon must be permitted and be subject to 

parental control. Synchronization between 

EneCecossces LSeune rpesponmcwo.lity of process 

designers. Processes residing in different 


Systems may be synchronized only using in- 
Verprocessseonmuntlcatlon. 
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If it were not for postulated constraint C4 (pro- 
cess delegation of authority) the network could be dee 
signed as a simple time sharing system where no interpro- 
cess interactions were permitted. Constraint C4 implies 
that there will have to be some interprocess interactions 
Pietuhe process designers are to fulfill their responsi- 
Parties. Since process transformations must be locai to 
the process (P4), the only remaining means of meeting con- 
straint C4 is to permit interprocess communication. 

Enarzzuch cemmunseation be subject to parental con- 
trol is an obvious requirement, stemming from constraint 


C4 and developed in DY. Process desipners are resnonsibie 


4 


mteracetions and therefore 


fa 
we 


x 


¡e 


e 
CA 


tie 


for 2ll virtual interprocess 
Msi Des. responsable for interorocess communication. The 

need for a process tree hierarchy of responsibility (P1) 

Mts ione Control of such interactions in the hands of the 
parent. 

Erocesszsynchronlzation 15 an interprocess inter- 
mato” Ter which process designers must be responsible 
under DH. Network and implementation designers cannot 
always know if two processes in the network are synchron- 
aCe tier intenttally or bysaecident. The definition 
Opec cL val systems wnder constraint Cl says nothing about 
the relative speed at which process steps in two systems 


a carried out. _Synchronization or lack of it between 
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systems is not 2 property of our network since it depends 
on the implementation. The particular allccation of hard- 
mare used by implementation designers for its optimal 
eguivalent systems (D3) might have multiple logical sys- 
tems implemented on one physical system, or might use mul- 
mote physical systems to implement one lcgical system. 
Pecnout placing an arbitrary constraint, to implement 
either synchronous or asynchronous svstems only (which 
we choose not to do), synchronization between processes 
in different systems can only be ensured by the processes 
Vremselves using interprocess communication. 

Process constraint P3 - An "accountable ob- 

ject" chain must exist, and processes must 

be able tc restrict use of these accountable 

objects when sub-ellocated. 

Mecounuable objects Aare -loplcal resources which 
processes may allocate to their children. The network 
desien provides services for the accounting of these ob- 
jects, including the return of them if a parent wishes 
them back and enforcing constraints on their use, 

A process tree of responsible agents alone does 
not completely describe the implications of postulated 
constraint C4. It does not provide sufficient services 
for a process desipner to use to control all virtual in- 
terprocess interactions. There are several interactions 


With respect to logical resources which the previous 
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Semoureiies Still permit to go uncontrolled. If a network 
E ‘o pernit processes to delegate authority, then this 
autnority is a logical resource whose accounting and sub- 
A location is something that a parent may need to control. 
The constraints make no assumptions abcut a child's cooper- 
ation with its parent. A special mechanism must therefore 
M provided which permits the parernt to fulfill its respon- 
sibilities even if a child becoines uncooperative. The 
process A adael ines responsibility, T but does not constrain 
how deep the tree may be or how many children a particu- 
lar process may have. 

Although it is the responsibility of the process 
m eners to decide what and how much authority to give 
to a child, the network design must provide remote en- 
forcement services for accountable objects. At this point 
wis not Important what Is being passed, but only that 
certain accountable information must be passed. For ex- 
zuple, communication must be subject to parental control 
(P7) and certain accountable information may be necessary 
to accomplish this. Since the children may not be cooper- 
ative, the network must provide use restrictions and ac- 
counting mechanisms, which may be invoked to protect these 
objects from the actions of a child. 

These items (whatever they may logically represent) 


become accountable objects to the network. Since there 
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are no restricticne on how deep a tree may be or how many 
children a particular process may have, a constraint is 
required which provides sufficient fecilities to prozess 
management to control the use of these objects. Given 

penes istence of an accountable objéct, the network, if 

16 1s to perform its functicns, must be able to locate 

the object. The network design must provide for an ace 
counting chain (to the object from the process responsible 
for it) which is not subject to the desires of the child 
Process. in addition, if a process designer is to dele- 
Gate some of its authority, then mechanisms must be pro- 
vided which allow restriction of the use of these account~ 


able objects in addition to just accounting, for then. 


Network Designer Constraints 

The previous section developed some of the con- 
Straints on the system design due to process designer 
responsibilities which can be derived from the five postu- 
feed Constraints. This section will look at some of the 
constraints which must exist to permit the network de- 


TE ner tomul its responsibilities. 


Network Constraint Nl - The network designer 


Y AU A A AA 1 PA A A A RA a UM 


ant names which can be used by the process de- 
Saeners for conmunication and control. 


Ssıncerarrierent implementation designers, If not 





Rn: 
Nes ricted., mignt use Local names Tor control and commun- 
ication, process communication might become Implementation 
meeenect«. If process designers created the names, they 
also might not be consistent in name creation. ‘The only 
Moemmon designer capable of defining a set of invariant 
memes, Which Can be used by the processes for communica- 
fens ana control, is the network designer. 


wu Wi nt enge Sa AAA A 


sifners are responsible for chang 
network formal definition, 





Network Constraint N2 - The network de- 
res in the 

ame Tıith postulbaced constraint introduces the 
possibllity of ausmentatlon into the design, D2 desig- 
Mames the network designer as responsible for the net- 
work's definition, and D6 designates the network designer 
as responsible for ail evolutionary paths. The network 
designer must also ‘fulfill its responsibility by con- 
wraning evolutionary changes in the formal definition, 
before the implementers can actually augment the system, 

Network Constraint N3 - Sufficient services 

mMUst bs provided, Dy the network designers, 

for the process designers to accomplish their 


purpose nclucing resource accounting and 
intersystem communication. 





The particular services provided by the network 
designers will be desipmed according to how they deem 
the network will be used. Resource accounting and inter- 


stem communication are services already mentioned spe- 
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MECA Duc Chere will be many more; This is a require- 
Meme since Wach designer must have sufficient authority to 
DeL Let tne effects di the interactions for which it is 
responsible, If the process designers are to be respon- 
mole for all ainterprocess interactions, then the network 
must provide common services through which they may exe 


eae this authority. 


Network Constraint N! - Network modification 


E age Er 


operators are mete-operators and must first 

ensure the modification does not violate anv 

of Ches postulated constraints and then either 

act as a no~op if it is one of the permissible 
Por RO REVOLUCION or Fault If it is not, 

Network modification operator - A formaily defined 


operator which the process designers can cause to be executed, 
It is intended to cause the network definition to be modi- 
fied and then implemented by using locally defined procedures, 
Meta-operator - An operator whose effect is not 
represented by a change in the process state. (In this 
case it changes the network definition. ) 
No-op - An operator which does not change the proc- 
ess state other than to advance the "program counter." 
It is clear that such modification operators must 
be meta-operators since they operate on the network defin- 


icion aña not on the process state. That the operators 


must prove the modification does not violate any of the 
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Mostulactea constraints follows from the delegation of re- 
sponsibility constraint D6, where network management is 
Pesponsxople for ail evolutionary paths. The only way that 
the network management can fulfill this responsibility is 
to design the operators so they ensure the modification 
does not violate the constraints. 

mee ,esulus ©f DrOCeSS Manamement executing such an 
Operator, must be either a no-op or a fault in the execut- 
mae sysvem. Tne execution of a modification operator may 
esse Anveractions which are the responsibility of each 
of the three designers. The definition must be changed, 
the new definition must be implemented, and finally the 
Peocess must be told it succeeded or not. 

if the operation had any affect on the process it- 
self other than fault or no-op, then the implementation 
management would have to ensure that the process remained 
well-defined. All system steps would have to be designed 
and implemented so the execution of a modification opera- 
tor during one of the steps would leave the executing pro- 
cess well-defined (this might be possible), but even worse, 
it would have to leave all other processes (also executing 
during that step) well-defined. This is clearly not the 
responsibility of either the process or implementation 
designers, 


Since the network designer does not have complete 
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Myl eae of what either of these two designers will al» 
T Ss be doing, tne only guaranteed non-race situation is 
Consider- it a no-op in process transfornations, The 
process executes the operator and either goes on with a 
no-op or faults (well-defined operations during that 
system step). The definition is either changed or not 
GSepenGing cr the validity of the operation, and finally 
the implementatícn designer changes the implementation 
betieen System steps when all processes ara not undergoing 
transformations and then starts the next system step using 


the new definition. 


Meinen Ehöonstraing N5 = The effects of 


AMA TA RA il A 


network evelution, cther then the addition 

of a new system to the network, must be 

local to the system within which the oper- 

ator was executed, 

tims) CONS rainir follows direetly uw romthe fact. that 
we are interested in digital systems (Cl), the factoring 
of responsibility, and maintaining well-defined evolu- 
tionary processes. To say that the effects of evolution 
Here Cher than local to the system in which the operator 
was executed would require synchronization between two 
Pomenc, a violation of the concept of digital system. 
Tie vould not nule out; of course, a process in one sys- 


tem executing an operator which caused a message to be 


transmitted to another process in another system, That 
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process could then execute the modification operator and 
tause that system tc be modified since the final modifica- 
om is Locales» The exact procedure again wiil depend on 
the particular modifying operators provided by the network 


designers. The addition of a new system cannot be con- 


EN 
He 
= 
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sidered local since there is no such system in the 


palace, 


Network Constraint N6 - The network design 


amy wee ee ee 


mist permit process desirners to limit the 

effects of a network modification operator 

to une DHOLA SS executing it. -Process de- 

cigners must be able to uniquely control 

the right hito execute non-commuting modifi- 

cation operators (if any exist). 

Constraint No follows directly from postulated con- 
straints Cl and C5. Process designers must have responsi- 
eem y ald authority to control the effects of network 
An acion modification on the process interactions fcr 
which the process designer has been designated responsi- 
ennac. ‘this is not quite strong enough to guarantee the 
well-defined processes as required by Cl. Because the 
modification operator is really a meta-operator (NY), 
there could be interactions due to two processes simul- 
taneously executing non-commuting modification operators 
which would result in non-well+defined processes or sys- 


tem. 


mae retated could permit the effects to be limited 
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io proceoces Gxecuting the modification operator, 
but the Pesultine network definition might be different 
than either one of the processes expected. In order to 
guarantee that all processes will be wezl-defined, pro- 
cess designers must be able to limit the effects of the 
me ecucwon of a modification Sperator to the process exe- 
cutíne that operator. 

As a consequence of permitting the processes to sub- 
allocate their responsibilities the right to execute non- 
commuting modification operators (if they are permitted) 
must be controlled. If non-commuting operators exist, 
then two processes executing such modification operators 
could affect each other in away that would make the oper- 
an have nonlocal effects and possibly produce processes 


which are not well-defined. 
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Programming generality is the inde- 
pendence of an algorithm from the environ- 
ment in which it operates (Denning, P.J. - 
De6d, p. 6). 


NETWORK STRUCTURE DESIGN 


intreduction 

The primary goal of this thesis is tac develorment 
and formal definition of e general machine independent net. 
mem design mich wí11 support ootentisiivy ticoupearativea 
processes. in the previous chapter a set cf constraints 
were úáevelovoea which are intended to perniü notwerkz manage 
ment problems (relevant to the control of uncooperative pro 
cesses) to be solved. Boundedness and network evolution 
were also included. Network designers are responsible for 
the design end formal definition of the neticrk, Implement~ 
ation designers are responsible for implementing Jccally 
optimal equivalent systems. Process designers are responsi- 
Ble for controlling all interprocess interactions between 
MmiemerOcessces il) Lie virtual network, including those due 
To Suballocation of the control of interprocess interactions. 

This chapter will informally develop the major design 
choices relevant to process state structures and the trans- 


formations to be carried out on them. Within the bounds of 
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the constraints, many network designs could be produced, 


Some of which would not provide what we feel is sufficient 
Mo cess generality. This chapter presents those design 
decisions, relating to such generality, which the networks 
@etined by this design should provide. The design choices 
will be explained and where necessary shown to be ccnsistent 
mpc the constraimes of te previeus chapter. 

Since network modification must be permitted, a mini- 
mal system will be presented fron which any particular net- 
work may evolve. The process designers determine which 
modification operators will be executed, and therefore re- 
G significant control of the attributes of a particular 
network. A minimal initial definition also has the advantage 
Sumreduiring the network design to include “at least those 
network modification operators which are necessary to evolve 
interesting networks from the initial system. Although the 
sequence of presentation did not effect the validity of the 
constraints, the same cannot be said for the design decisions 
presented here, The development is intended to be complete 
enough to permit the reader to understand the essential 
characteristics of the network in all respects except its 
final representation. A formal definition of the network 
Neal be found in Appendix C. 

There are several informal design principles which 
have been used in this chapter. An attempt has been made to 


provide facilities which process designers can use to con- 
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Suruct” proceseos Which” implement their decisions concerning; 
the control of their application processes. The network de- 
pepe Should nort build in particular strategies whenever it 
De a vo Oca particularly 11 it limits the freedom of 
process desipners. The tools provided shoulda be useful and 
eonvenient so that interesting applications can be produced 
ma Droperiy managed. Each process in the network should ne 
Me TO Mare tiniterpropress. independent=of what other pro- 
cesses in the network are doing. 

In acditicn to previding a rich programming environ- 
ae cic ae TE Snould= pe general enough te be used as a 
model to compare current systems, ana should be an easy 
Tramevork for conmunticatine ideas. To accomplish this the 
eocepts should provide generality of expression rather than 
artist of options which tend to be confused. In order to 
Peter peneraltity,. che introduction of features "eflecting 
Peecialigaureon for specific applications or particular phy- 
sical assets should be minimized. Where possible, placing 
constraints on the design of the programming languages should 
be deferred until they are required. 

Although efficiency with respect to current systems 
is not a primary goal, process generality features should 
not be introduced without hope of reasonable implementation. 
invariant network features should be identified so imple- 
mentation designers can exploit them for efficient imple- 


mentation. Intuitive notions of efficiency should be brought 
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TO pla vion cheosing between design decisions, *particu- 


larly if they concern implementation on current systems. 
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Desi en decision Al - Each system processor in 


WETTE ea mm ee ee) ee RE 


the network will contain a set of identifiable 

subprocessors including at least the follcwing 

three: GP (General Programmable), AO (Account 

able Object), and PR (Process state Receive ana 

transmit). 

A subprocessor is defined ss an operator of the sys-~ 
tem processor that is applied to a single process state. 

It may be designed to produce an arbitrarily complex pro- 
cess transformation, using only information within that 
process state. Process designers request the system pro- 
Gercor to apply a particular subdprocessor to a particular 
Process state: The execution of a subprocessor only trans- 
forms the process state to which it is being applied and 
does not involve message transmission or receipt. 

All operators of the system processor, including sub- 
processors, which are to be applied during a particular 
System step, are applied in parallel, The system step does 
nov complete until all cperators being applied during that 
step have completed. The system processor performs all oper- 
ations not local to the process state (the transformation 
involves information in addition to that contained in the 
process state). For example, it delivers messages to a 


process state for disposition by a subprocessor, and dis- 


patches messages after they are generated by a subprocessor. 
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Vaewmimicroduction of the concept of subprocessor into 
the network design provides a freedom to delegate responsi- 
bility for the design of the languages to be interpreted by 
the subprocessor to future subprocessor designers with a 
minimum of constraints. The network designer still retains 
responsibility for designing the network so process design- 
ers can control interprocess interactions. The subprocessor 
thus becomes the user programmable part of each system pro-- 
Cessor. The design of the language interpreted by a sub- 
processor will define the way processes may be formed Ly 
defining the transformations on process states. 

pEmee processes are not assumed cooperative, it is 
Sernvenient to limit the effects of the interpretation of 
Beh languages. The use of a subprocesserg. whose operations 
oi ber local tora process. state, permits. this, The 
system processor then performs all operations not local to 
a process state and can be designed to provide a well- 
defined interface for all operations which are not strictly 
local to a process state. The network designer need only 
mecraimnenot derime, subprocessor operations which are 
always local to a process state. All non-local services of 
the system processor can be invoked implicítiy by the sub- 
Broeessomssy#andebe invariant across the network. 

An equivalent system processor could have been de- 
esened which didenot} contain subprocessors. It could be 


augmented with equivalent transformation operators and 
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proper sequencing, and control functions to produce processes 
equivalent to those produced using subprocessars. Subpro- 
Seasors simplify the network design. Without them, the sys- 
tem processor is cluttered with details which are not rele- 
vant to its basic operations of providing services not local 
to 2 process state. Understanding those operations which 
wouid have been logically grouped as a subprocessor is made 
mare difficult because of the additional potential inter- 
actions they would have with the other operators of the sys- 
tem processor. Since a process state is observable once 
Seen System step, the observed process would be cluttered 
with the intermediate steps which would have been hidden by 
dssubprocessor. 

The designer of a subprocessor has certain freedoms 
That would not be present if all of the subprocessor func- 


tions had to be intergrated into the system processor, Only 


a 


Me system processor, and the interactions of a subprocessor 
with it, need be understood by that subprocessor designer. 
Nothing need be known about the way other subprocessors 
operate during execution. It is assumed that all network 
designers will meet the constraints and design decisions. 
Mec nout subprocessors, their responsibilities would include 
emmuen larger part of each system. All systems in the net- 
work would not necessarily provide the same set of subpro- 


Gessors. the interactions to be prepared for, if the design 


ARNO Use Subprocessors, would therefore not necessarily 
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be the same in each System, complicating the problem even 
more, Many more constraints and design decisions would have 
to be introduced into the network to ensure that it supported 
only weli-defined processes. 

A subprocessor designer need not be concerned with 
having Ics operations interrupted by incoming messages, or 
che effect of the transmission of a message to another pro- 
cess whose subprocesscr is in the middle of a process step. 
Nonlocal operations are done by the system processor, Buf- 
fering or other techniques can pe used by a subprocessor 
designer during the execution of a process step since such 
information cannot be affected by anythine outside the sub- 
processo until the step has been conpleted. The network 
Sear agner thus guaranties the locality of process state 
transformations with minimal constraints on subprocessor 
designers. 

Subprocessors are applied by the system processor to 
the process states, in the same manner as any other opera- 
tors, and must be identifiable (recognizable and named) 
Wrehin the system processor. Process designers must have 
gomerol over the sequencing Of subprocessor applications, 
uniquely specifying the different subprocessors to be 
feed. Ine system processor, If the subprocessors are 
identifiable, can be designed to apply the proper subpro- 
cessor on command by process designers without caring what 


the many different processes in the network are intending 
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COS arena ne network wit] Wave av least a GP, 
AO, and PR subprocessor which are common to all systems. 

Ihe network designer cannot hope to know all the subpro- 
Cessors present and future process designers will want to 
Wee. Therefore, 2lthougsh these three common subprocessors 
Provide all initial network services, it would be arbitrary 
to define a set of subprocessors which would be availabie 
at each system in the network and then prohibit the intro- 
Con Of any others. One of the purposes of introducing 
subprocessors into the network is to defer to future ds- 
signers the development of subprocessors and the languages 
meey Interpret. The at least in design decision Al is in- 
tendea to permit the introduction of additional subproces- 
sors. One of the network evoluticnary steps that the design 
meek permice 1S the introduction of new subprocessors into 
particular systems of the network. 

The GP subprecessor 1s the general programmable sub- 
Baocessor which is common to each system in the network. It 
provides all initial network services to process designers. 
The GP is programmable to ensure that process designers may 
invoke services to create useful processes, thus fulfilling 
Network management's responsibilities to provide for pro- 
grammable systems. The GP must provide all such services 
by interpreting a very general programming language since it 


may be the only programmable subprocessor in some systems. 
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Without at least one common programmable subprocessor avail- 
able at each system, process transportability would not be 
a useful. The GP, since it is common, wiil provide pro- 
res designers with one language whose interpretation is ir 
variant in all systems in the network. If a particular sys- 
tem provides for additional programmable subprocessors, the 
process designer must make the choice of whether or not to 
use the GP, The GP is therefore not the "universal" lan- 
guage, but only a guaranteed "common" language. 

Wigan. subprocessor is common to all systems in the 
network and has been delegated the job of fulfilling all 
network responsibilities with respect to accountable ob- 
jects (N3 and P8). By delegating these responsibilities 
to a subprocessor instead of fulfilling them as part of 
Perea System processor design, the network desipmer is able 
to defer binding the structures used for accountable objects, 
while still having sufficient guarantees that the network 
responsibilities will be satisfied. The network design can 
proceed without petting involved in the semantic and syn- 
tactic problems involved with accountable objects and their 
BI LS RO Ssubprocessor will not be programmable in the 
To aal sense of the word, but will provide services to the 
programmable subprocessors of the network. It must be de- 
Signed to carry. out its responsibilities cooperatively with 
respect to accountable objects, even though particular pro- 


cesses may try to be uncooperative. 
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ine final sueprocessor which must be common to each 
system in the network is the PR (Process state Receive and 
transmit) subprocessor. The PR will carry out transforma- 
tions on the PR process, whose function will be to re- 
eeive both process states from other systems and requests 
mem process creation and transmission from processes in 
moe Own system. If the request is to create a new pro- 


kess or if it is e process state from another system and 


ES 


Mee process state is valid to run in that system, the PR 
process requests the system processor to start the process. 
e request 1s to move a process to another system, the 
PR process requests the system processor to transmit the 
Process State to the PR process in the destination system. 
Validation of requests for process creation and 
movement is simplified by requiring that within tne network 
systems only the AO subprocessor be able to generate them. 
peace the AO subprocessor is designed to be cooperative, 
he PR can be designed to assume all requests, even from 
emner systems within the network are valid, provided 
communication is designed so the source is known, Re~ 
quests from foreign systems would present a verification 
problem since nothing may be known about such foreign 
Byovems. A PR process will therefore be designed to re- 
ceive requests only from processes within its system or 


from other PR processes in the other systems of the net- 


work. The PR functions can easily be defined as a sub- 
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processor and delegated to future designers. An example 
PR subprocessor is defined in Appendix C, 

Design decision on Ae» A process state is de= 

fined E a set of identifiable, CCG. DOSS ten 

bly related eos waves, and associated 

information nece ssary for both subprocessor 

allocation and re interactions, 

A process state will have identifiable subst¢atas 
which will be called erpression-states. Expression-states 
contain the state information associated with the execution 
Of a subprocessor, Program interpretation information 
along with data structures and their associated values would 
be included, Expression-states are accessed na transformed 
by subprecessors when they are applied to the BPeecess stave, 

R houl the requirement that expression-stabes be 
identifiable, subprocessors might not be able to distinguish 
one expression-state from another. Accidental subprocessor 
operations on expression-states other than the ones it should 
be accessing might occur, with possibly undefined results. 

In order to ensure that illegal process states did not oceur, 
the design would have to place additional constraints which 
would restrict the generality available to process designers. 
We could have said that expression-states could not interact. 
There would then be no need for more than one expression- 
state in a process state at a time. This solution would not 
allow many conventional relationships such as that maintained 


by coroutines, 
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We could have restricted the process state from con- 
taining more than one type of expression=-state. The whole 
process state structure could have then been made subpro- 
cessor type dependent. The state structure recognized by 
Aeris ubprocessor could then be made to define different 
expression-states, The system processor would only have to 
«now which subprocessor to apply and the subprocessor de- 
signer would define all permissibie operations on the pro- 
Gees state. Although this is simpler, it is not as general 
as permitting multiple kinds of related expression-states 
O exist within one process state, 

Once the design permits a process state to contain 
multiple kinds of expression-states, all subprocessors can 
no longer be guaranteed to recognize all of them, For exan- 
bee. a process state might contain three kinds of expression-~ 
states related in a tree structure (root ana two branches). 
ine appropmelatemsuborocessome for either branch might be able 
pomlinterpret the root expression=-state, but not the expres-- 
sion-state at the other branch. 

Tihe design is to support well-defined processes, 
Cacumsubpmecessor amusb recognize when it has referenced a 
new expression-state. This prevents a subprocessor from 
accidentally transforming an expression-state because an 
expression-state boundary was unwittinely crossed. The 
network design must therefore provide expression-state de- 


limíters in a process state so that it is possible to recog- 
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nize all of the exnression-states contained in it. 

Exrpression-state recognition alone does not guarantee 
well-defined processes. A subprocessor independent method 
f identifying an expression-state as to its kind is also 
needed. There is no way to guarantee, using independently 
Besı onen expression-states, that all subprocessors can de- 
termine if a particular expression=-state is one of the types 
men carn interpret. The network defined process state struc- 
tures must therefore provide that a type be associated with 
each expression-state. A subprocessor when applied to a 
Bescess state, can then identify all of the expression- 
rates enc know which ones. it can interpret. As long as an 
mepressionm-statce is Mentifíable, typed sulstate ofa pro- 
ess Stace, ne further constraints need be placed on its 
meernal structure, tnis is left up to the individual. sub- 
Processor designers, 

ATProcess sabe contains, im addition to a set of 
expression-states, the information necessary for the system 
mrPoceseo. To Carry out Subprocessor allocation and inter- 
Process interactions. Since both of these operations in- 
volve operations external to a process state they must be 
performed by the system processor (constraint P4). The sys- 
tem processor therefore must have access to the necessary 
information. Such information cannot be maintained internal 
to tne expression-states because the system processor might 


DO RDE ler TeWrecoenIBem ie Express®on-state structures 
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are defined by the subprocessor desinners and not the system 
Bere s5or designer, Therefore, the information must be part 
of the network defined process state structure external to 


expression-states. 


hewn oUDOrPCCeSSOY access to structures of 


any other type of expression-state must not 

violate the conventions of the other expres- 

Ssion—stete™s designer. 

Identification of expression-states by type is not 
surficient tc guarantee well-defined processes, The access 
of subprocessors to other than their own type of exprsssion- 
states must be constrained so those expressicn-states are 
Hee lert invan Imprever form, The designer of an expression- 
state defines the conventions that are to be followed and 
the designer of any subprocessor which is to access it must 
follow these conventions. 

It would be impossible for any designer other than 
the expression-state designer to decide on the conventions 
to be followed when a subprocessor accesses each type of 
expression-states since no constraints have been placed on 
their design in the first place. The network design must 
therefore delegate to that same designer the responsibility 
for deciding what conventions must be followed upon another 
Subprocessor access to the expression-state. The designer 
aeach subprocessor Ms then responrsiblemfermensuring that 


the proper conventions are followed by it on access to a 


PavuLcular type of expressionssta@e and that it does not 





transform any expression-state tyne it is not supposed to 


access. 


‚Control-Point 


Design decision 23 - "Control-Points" are 
Ateo uUntablesobJects. 





Control-Points like expresslon-states will be sub- 
States of a process state. They will have associated with 
them the information necessary for the system processor to 
Paar y codi its services with. respeet to ghe containing pro- 
cess state. Control-polnts are an expression-state inde- 
pendent interface between subprocessors and the systen pro- 
ensor, „eubprocessor allocatlion and interorocess interac- 
tion information cen be associated with them and therefore 
be maintained external to expresslon-states. The design 
and use of such information can thus be kept independent of 
the design and use of expression-states. 

The concept of control-points as part of a process 
state will simplify the design of the system processor. The 
design of operations on the process state information asso- 
ciated with control-points can be separated from the lan- 
guage dependent transformations on the information contained 
in expression-states. Since control-points are part of the 
process state, their information can be operated upon local- 
ly by a subprocessor operating on that process state. In 
addition, the system processor can safely access the control- 


point state information because the state structure is part 





of the network design and the same in all process states, 
Control-points are also well-defined and therefore can be 
interpreted by all system processors in the network. 

The next several sections will describe the role con- 
trol-points play in subprocessor allocation and interprocess 
communication. It will not be possible to transform an 2x- 
Presolon—state, and hence a process state, without a control- 
point, Competition for control-points is therefore a type 
of interactlon between processes for which process designers 
must be held responsible. They are the only agents with 
meeeos to sufficient information to manape such interactions, 

The AO subprocessor provides the only network guar- 
enteed mechanism through which process designers can sub- 
eerocave control-points in the process tree, while main- 
enning the ability to restrict their use or recover then. 
As long as control-points are accountable objects, the AO 
subprocessor will account for them and enforce a parent's 
Peqjguzsrements placed on a child's use of them. 

A3.1 - Individual control-points may be paired 

with individual expression-states and more 

than one such palr may exist in a process 

state at one time. 

Ween Dalreag wath an expression-state, the control-point 
names that expression-state for all system processor pro- 
eded services., Pairing a control-point with a particular 
expression-state permits process designers to distinguish 


it (for the system processor) from all the other expression- 
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states in the process state. Although expression-states are 
typed, they are net really named since there may be more than 
one expressiocnestate of a piven type in a process state. 
Pairing a control-point with a particular expressiocn-state 
permits process management to use the control-point's state 
memes rect the system processor in performing its operation 
with respect to that particular expression=state. As will 
Seen later, this is particularly convenient with respect 
to interprocess communication, 

Having multiple expresslon-state/control-point 
(ES/CP) pairs within a process state, permits a process de- 
signer to select for interpretation more than one expression- 
state at a time. Since control-points have associated with 
them all the information necessary to direct the subproces- 
Son carryime out all operatiens which are mot local to a 
Descess state, they must contain the information necessary 
for subprocessor allocations Multiple ES/CP pairs permit 
more than one expression-state at a time to be involved in 
Baeerprocess communication or compete for,subprocessor 
application, 

Das ee nen paired mich an expresslon-state, a 

eontrol-point will have associated with it the 

type of subprocessor to be avplied. 

Ihe subprocessor type associated with a control- 
point that is paired with an expression-state informs the 


stes processor mich type of subprocessor is to be 
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applied to that expression-state. Process designers can 
tbus control what kína of subprocessor is to applied to a 
particular expression-state ty ensuring that the ES/CP 

pair has the correct subprocessor type associated with it. 
the system processor could not otherwise determine which 

me processor to apply to a particular ES/CP pair. The sys- 
čem processor can therefore operate in a purely reflex man- 
ner and not be concerned about any potential ambiguity in 
the mapping of subprocessor type onto expression-state type. 

Design decision Al - Control-points will serve 

as uniquely named destination addresses for inter- 

Process mern. ares, he arrival ol such messages, 

as well as local subprocessor operations, may des- 

ignate an ES/CP pair as reauesting a subprocessor, 

regardless of the status of other pairs. The sys- 

Dem orOcessoOr willl apply at most one Subprocessor 

to a process State each process Step. 

If interprocess communication is to be permitted be- 
een the processes in the network, there must be some way 
Oi unambiguously directing each message to the destination 
process. Control-points are used to name particular ex- 
Mees tON-Staces within the process state. By using them 
BoEecommuntcation alsoywother processes are able to direct 
Mer messages to a particular ES/CP pair within a process 
actes mot Just to Che process itselís» bddressing an inter- 
action to a control-point name in effect addresses the pro-- 
assi hilo contains an ES/CP pair by that name. Process 


designers thus need not be concerned about the residence of 


the destination process as far as message delivery is con- 
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cerned, Directing messages to particular ES/CP pairs pro- 
vides a generality for process designers not normally avail- 
able. 

If control-points are uniquely named and messages 
directed to particular ES/CP pairs the system processor can 
Sempoleve the delivery, If the messages were directed only 
to the process then the subprocessors would have to deliver 
them to the appropriate expression-state. Constraints would 
have to be placed on all subprocessor designers to ensure 
they all did it by the same conventions. This would be a 
mesoriction of their design freedom which is not necessary 
when the system processor delivers messages to uniquely 
named ES/CP pairs, 

The system processor must know when a process is re- 
Questing that subprocessors be applied. Part of the status 
Or a control=point must thenebe whether or not it is making 
such a request (Demand Status). 

When a given subprocessor is interpreting the process 
Sabes it vould be arbitrary to prevent that subprocessor 
from changing the demand status of the other ES/CP pairs in 
that process state. Process designers should have the 
flexibility to make use of such intraprocess (interexpres- 
sion-state) control operations. This design choice is con- 
sistent with our desire to permit subprocessor designers to 
perform any operation which remains local to a process 


Scacve, provided of course it dots not violate any of the 
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other constraints or design decisions. 

Interprocess messages could have been received pas- 
Sively in the sense that each subprocessor would have had 
Be Hook in a buffer to see if there were any pending mes- 
sages. Active designation of an ES/CP as demanding a sub- 
processor upon the receipt of an interprocess message would 
be analogous to interprocess interrupts and provide a much 
more flexible control mechanism. 

At a minimum, some sort of wake-up signal has been 
accepted as a necessary mechanism in most of the systems 
recently designed. This makes a wait loop unnecessary. A 
process may go to slesp pending such signals, The waksup 


feenaliwsn Can be considered”"a type of message from some 


fees, in our design, the operating system Is not unique. 
It would be a set of processes, managed like all other pro- 
@eoces Dy process designers, whose most important attribute 
is their relative position in the process hierarchy. There 
is no reason why only a system process shouid have such 
abilities in general. The active receipt of messages in 
our network design permits interprocess interactions to have 
the same effect and provide process management the desired 
pemera Livy. 

The introduction of message activated ES/CP pairs 


(message sets the pair demanding) means that more than one 





such pair in each process state could be demanding a sub- 
processor at one time (just as for active hierarchial in- 
terrupt routines). If only subprocessor operations local 
to a process could have activated other pairs, such opera- 
tions could have been constrained so that the subprocessor 
made sure that only one such pair was requesting at a time. 
To require the same thing for interprocess messages would 
require interacting with at least one system processor. The 
System processor would have to be gseatiy complicated 11 1t 
had to provide information to a message generating subpro- 
cessor on what the receiving process was doing. The trans- 
wW Cing process might experience long delays waiting for 
weeeccory Infermakionzif the processes were in different 
EVSTENS“ 

Permitting more than one ES/CP pair, within a process 
rates, to be requesting a subprocessor gpreatly simplifies tne 
design. The system processor does not have to provide ser- 
Vices to a process about what the other process is doing 
and the generating subprocessor does not have to include 
PO NisLons. tor such interactions with the system processor. 
An incoming, message may designate an ES/CP pair as demanding 
a subprocessor independently of the status of other pairs. 

Multiple demandinss ES/CP pairs within one process 
State introduce a potential ambiguity into process behavior 
which must be removed. If the processes in the network are 


to be well-defined, both process designers and the system 
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processor must know unambiguously which one of a set of de- 
manding ES/CP pairs will receive the subprocessor. In order 
Mo prevent subprocessor race conditions Tor access to parts 
memcmerOCCss Stave, and Still permit multiple subprocessors 
to access that state, either disjoint environments or inter- 
Subprocessor race resolving would be required. 

The only reason to have multiple expression-states 
in a single process is to share environments. Requiring 
expression-state environments always to be disjoint is 
equivalent to putting them in separate processes. The sys- 
Wem processor might be able to check for disjoint environ- 
ments within a process=-state before applying the subpro- 
cessors. Even if decision procedures could be determined 
mer some initial set of Subprocessors, any additions to the 
set would require modifications to the procedures and great- 
ly complicate the network design. We have attempted to 
keep the system processor simple and design it in a way 
which permits the simple introduction of new subprocessors, 
Requiring it to determine disjoint environments at subpro- 
Cessor allocation time 1s a complication not necessary if 
che system processor applies only one subprocessor to the 
Process Stave each process Step. 

Subprocessors cannot take care of this problem them- 
selves because 1t would require inter-subprocessor inter- 
actions which would violate the basic independence of sub- 


Processors. We introduced subprocessors so they could be 





independently designed with no concern for what other sub- 

processors are doing. Each subprocessor designer knows that 
no other subprocessor can access the process state until it 
has completed its operation. A process will undergo a pro- 
ess step each time a subprocessor is applied to its process 
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The system processor and process designers must not 
encounter any amblguities concerning which subprocessor will 
be applied to a process state containing more than one de- 
Ne s/c. paina Therefore, there aust be aywell-deiined 
decision proceaure which both the system processor and pro- 
Seagecdesipner scan use to makewsuch a determination. 

It would be arbitrary for this design to say which 
such procedure must be used. Preemptive (priority) or non- 
preemptive alternatives are possible. In the case of non- 
preemptive, once an ES/CP pair had a subprocessor applied 
Pombo. iC vould Continue having it anplied until it had 
Completed 1Cs opsrations. In the case of the priority 
hierarchy (preemptive), a higher priority ES/CP pair might 
become demanding before the lower priority pair had com- 
Meco in This cagex. the Ssysvem processor would cease 
applying a subprccessor to the lower priority pair (at the 
end of that process step) and start applying one to the 
ee e a Or LE pal, Such a moalificacion of subprocessor 
application before an ES/CP pair has completed its sequence 


of process steps will be defined as an interrupt within the 
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network structures. 

"auits,on the other hand, will be defined as occur- 
Baer y mele a subprecessor is carrying cut amrocess step, re- 
sulting in a change in the sequence in which the subprocessor 
is interpreting the current program stream. During the exe- 
eution of a subprocessor, certain abnormal conditions may 
Ceemurwwhich normally require the subprocessor to change the 
Sequence of transformations it is carrying out; The actual 
mechanism used must, of course, be language dependent and 
therefore part of the design of that subprocessor. Faults 
are always handled as operations local to the expresslon« 
state which was being interpreted when the fault occurred. 

A4,1 ~ Each process state, except the PR Pro- 

cess state, will contain am ES/CP pase whieh 

zıeımarrunt all Guhers 1n That process and 

which can ve interpreted by the AO subproces- 

sor. 

We have delegated to the AO subprocessor designer 
wine responsib111ty for fulfilling the network responsibili- 
Biles for accountable objects. It is of utmost importance 
Maat it not be possible for any process to prevent the AO 
Supp recessor from carrying out its duties. 

Any process must be capable of accepting at least 
One contmol-point. lmorder to eceemplish any transformations 
on the process state. Each process state will thus contain 
at least one accountable object (that CP) which the AO sub- 


processcr must protect and account for. The AO designer 


must be permitted to maintain whatever information is 
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necessarv for the AO subprocessor to do its job, irrespective 
of what else the process may be doing. Each process state 
must therefore contain an expression-state where such in- 
formation is maintained and available to the AO subprocessor. 
ma order for the ACO subprocessor to be applied, the expres- 
slon-state must be paired with a control-point. Each pro- 
cess state must therefore always have an ES/CP pair to which 
the AO subprecessor can be applied. 

A preeess must never prevent the AO subprocessor from 
being appiícd when the ES/CP pair is demanding the AO sub= 
Processor. Simce the system processor applies subprocessors 
BO Process states, according to some Well-defined algoritm, 
che design must constroin the algorithm by which this is 
done. The AO subprocessor must be applied when demended, 
in spite of what other requests for subprosssscr application 
are outstanding within a process state. The AO subprocessor 
ES/CP pair must therefore interrupt ali other subprocessors. 
This is the only way the necessary guarantee (that the pro- 
cess cannot lock out the AO subprocessor) can be made to the 
designer of the AO subprocessor. 

AN,2 ~ In additicn to its basic functions, the 

AO subprocessor will be responsible for regu- 

ie Pp uacessyubirtbo death, and intersystem 

movement. 

Because of possible effects on accountable objects, 
the design must (decision Al.) delegate to the AO subproces- 


Bora ener the responsibility for validating process birth, 
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death, and intersystem movement. For example, a process 
must not be permitted to commit suicide and destroy some 
delegated accountable objects. Birth and intersystem move- 
ment of processes may also effect the accountable objects 
Mer which the AO subprocessor is responsible. The AO sub- 
processor designer must be able to prevent all such problems. 

the network design cannot permit arbitrary subpro- 
Seasors to fuifill these responsibilities since this weuld 
require interference with their design (Al) to obtain appro- 
priate guarantees. The design therefore must not permit 
Beem to perform process birth, death, or intersystem move- 
ment, By requiring the requests for these operations to be 
forwarded to the AO subprocessor, the AO designer can con- 
trol what will be permitted and what will not. The network 
e@s2e thus fulfills its responsibillitics with respect to 


memeouUnvanvic OD jJECCUSm and to the AO subdpmocessor designer. 


Communication 


Dessen asclston AD — A process may senerate a 
Seo ema Ler sire@cess messarezeachz process step, 
AC SOS cas LD LOC SYSteM pmocessOr TO 

a particular buffer associated with the destina- 
tion contro l=polnti” Process designers can control 
the stent to Transnıt, thesmlbent to listen and 
the right to aliow an ES/CP pair to become de- 
mandine as amresulteof a buffered messages 








Process designers must decide what message to gener- 
ate and the information necessary to generate the message 
me tecOome Irom Wisthilne the process states. Since message 


ASS Dan is Cherefore a local operation on a process 
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rece, recepeMmsllt lity Tor it can be delegated to the sub- 
peocecesoors., The transmission and delivery of that message 
are not operations local to one process state and therefore 
must be performed by the involved system processors. Al-~ 
GIO une design of subprocessors has been delegated, the 
design of the system processor has not. Several constraints 
must therefore be placed on the design of message genera- 
tion so that the system processor design can be completed. 

A subprocessor may generate only a single message 


Ssen process See. Thas’ehoice’vasmmade primarily for*sim- 


O 


Maceity and because it does not réally restrict a pro 


ess 
[eeipner since the Process can repevitive generate a new 
Nemoaps on cach process step. The design of the system 
processor is simplified since it does not need the additional 
@reracvors required to dispatcn multiple» messages from each 
Process. in addition, although a subprocessor may hit a 
Pound during the generation of a message because of the 
Size 01 the message, after 1t is generated the system pro- 
cessor sees only a single bounded message. The complexity 
of a message is subprocessor dependent. Although a sub- 
processor may require muitiple process steps to construct 
aemessagey the System processor need not be concerned with 
such problems. 

MigehmeeweravLouwmDy a subprocessor sy the messages are 
"broadcast" by the system processor to a particular buffer 


assoclated with the destination control-point. "Broadcast" 
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means that the system processor wlll transmit the message 
immediately. There will be no intersystem synchronization 
memoevermine if the destination process is not listening, 

a already has a message in that buffer. The destination 
CP might not even be & member of some ES/CP pair which would 
result in the network ignoring the message., 

These types of interactions due to interprocess mes- 
Sas nandiine are the responsibility of process designers, 
mot the system processor. When a process says transmit, 
tne system processor may not know enough about the reasons 
Mor the request to say such a command is correct or not. 
Only a process designer can know. For example, there may 
be processes which wish to overwrite an old messape if it 
has not already been interpreted by the destination process 
(e.g., a real time clock interrupt). Since there ís no def- 
inition of the relative speeds of systems in the network, 
nothing can be said about how soon (number of process 
steps) the message will be delivered if the receiving 
Peocess is in another system. 

If process designers are to be able to control the 
use ol a flezible interprocess communication mechanism, they 
must be able to control the right to transmit to a particu- 
tar buffer associated with the destination control~point. 

lthough a single receiving buffer could have been asso- 
paro yb each control=-polnt, thís would have besen un- 


necessarily constraining on process designers. Two pro- 
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cesses in different Dy ENS interacting with a third, would 
have to interact themselves to ensure that only one of them 
at a time was using the buffer, if only a single buffer for 
each ES/CF pair was allowed, the receiving Process, of course, 
could provide as many ES/CP pairs as necessary to receive 
messages from different processes, but this seems like an 
unnecessary waste of control-points. Mult ple buffers 
(which need not be created unless desired) provide a more 

flexible interprocess interaction Capability without Sige 
meri cant complication, 

Bach buffer can be thought of as a queve capable of 
containing one or more messages. The most degenerate queue 
15 of size one and is the Simplist from a Geostand poi: oF 
view, but larger buffer queue sizes might be useful for cere 
tain kinds of applications. At this point in the design it 
would be arbitrary to say what the queue length must be. 

If a logically infinite queue is considered, then 
the design must consider the fact that the implementation 
might actually have a fixed number of buffers to use. This 
is just the boundedness problem and therefore must be con- 
Sidered anyway. If the queue length is logically finite 
then the design must consider what to do in the case of 
queue overflow. For example, the newest message would force 
the oldest message to be lost. This is what is done in the 
case of length one (e.&., messape overwrite). Message re- 


ceipt resolution in a digital system can be no better than 
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the system cycle, It will be pointed out later that a pro- 
css step in this design occurs oniy once every three system 
cycles, The queus greater than one would permit the system 
to resolve messages each system cycle instead of once each 
process step. In this design a queue of three would give 
Ane system cycle message resolution if the process cleared 
the queue each process step. 

The design requires a source to direct messages to 
particular control-point buffers. Process designers can 
then be provided mechanisms for controlling interprocess 
interactions due to competition for buffers by providing 
sonvurol over the right to transmit to particular buffers. 
Single or multiple rights could be provided (such rights 
will be accountable objects managed by process desirners). 
Mwitípie rights to transmit to a singbe buffer might result 
in race conditions. The resolution of such conflicts between 
asynchronous systems would require a significant complication 
of the system processors. Therefore, the use of multiple 
rights to transmit to one buffer must be cooperative and 
either involve only identical messages (an interrupt) or be 
Peas DY OnlyeOneceapryOCcesSmat a Time. 

The design will also provide process designers with 
the ability to control when a process will listen (buffer a 
message) and when the ES/CP will demand a subprocessor to 
take care of buffered messages. Although control of trans- 


MesesctOn 16 sufficient to accomplish this, local eontrol of 





message buffering by the receiving process makes the process 
designer's job simpler. Since the buffers associated with a 
control-point are contained in the system containing the 
destination control-point, informing a system processor to 
DECON Or nov is simple. Controlling the rights to transmit 
would present processes a much more difficult task, For ex- 
ample, a process might become uncooperative and start trans- 
matting arbitrary messages to all buffers to which it has a 
right to transmit. It may take numerous process steps be- 
tere its perent can be notified, and can discipline the 
anita... Control over IFfestening solves this problem easily, 

Each controlepoint buffer records one complete in- 
coming message, Process designers in addition to control- 
wnn Ehe listening of dach buffer, will be able to control 
when such buffered messages will cause the ES/CP pair te 
demand a subprocessor to process such messages. They are 
the only agents who know enough about the design of their 
processes to safely do thiss 

koreien systems wererintroduced as a result of con- 
straint Al to provide an open network. Since nothing is 
assumed to be known by the network designers about foreign 
Systems or their processesm foreign systems must not be 
permitted to violate any of the network constraints or de- 
un sdeocı ons. Thus; CHE only interactions which can be 
permitted by foreign systems with the network will be the 


exchange of messages with processes in the network. 
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Suchzecommunication will look no different than any 
normal interprocess communication, A control-point capable 
of serving as a destination for messages from foreign sys- 
tems will have a single buffer associated for each such 
source. Process management will have all of the mechanisms 
discussed above for controlling the receipt of such messages. 
Transmission to foreign systems will be represented only az 
@ coliectiion of rights to transmit to some destination "con- 
trol=points" which do not exist in the network. 

Process designene Vill be responsible- -fo controlling 
interactions with such systems insiuding the interpretation 
of such messages and other related matters. The network de~ 
en chusetuliills its responsibilities by constraining the 
interactions between foreign systems and the network sys- 
tems to occur only using normal interprocess communication 
mechanisms. By constraining such interactions to occur only 
with the processes in the network, and not the systems them- 
selves, process designers can be held responsible for the 
management of such interactions. 

A besic description of the operation of the system 
processor can now be piven. Each system processor is de- 
fined as having a major cycle consisting of three phases. 

A process may undergo one process step each major cycle. 
The requirement for phases is a direct consequence of the 
fact that the system processor must perform all of the oper- 


ations not local to a process state without race conditions. 
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Some of these operations are sequential in nature. During 
the first phase (subprocessor allocation determination) the 
System precessor determines if any buffered messages should 
cause an ES/CP pair to request a subprocessor. Using this 
information and information about all other requesting pairs, 
it determines which ES/CP pair within each process state 
Peeura mave chersubprocessor appis.ed, and delivers messages 
to that control-point if that is appropriate. The second 
phase is subprocessor application. During this phase sub- 


Droeessors disnose of messages and carry out other operaticns 
on the process state. These subprocessor transformations 
Teli constitute that proces step. The final phase hw mes- 
Sage dispatching. Any messages which were generated by the 


Subprocessors during the process step are dispatched by the 


System processor and the next cycle begins. 


Definition, Modification, and Bounds 


Design decision A6 - The initial network def- 
Tnitionwill consist of one basic system with 
an initial root process state. Network modi- 
fication operators wiil permit the creation of 
al least acdırlonal Basic Systems, subproces- 
SOS “ue processor Operators and system pro- 
cessor operators for control-point housekeeping. 


Network modification was introduced in the previous 
Chapter (C5) and the network designers were delegated re- 
SpenstDtlivy tor derinitlon ot the initial network and all 
potential evolutionary paths. Without evolution, a particu- 


lar network definition would have to be chosen which might 
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handicap some potentlal applications of the network design. 
A minimum network, with evolution, permivs each application 
to evolve the network definition ic fulfill its own needs 
(within the constraints placed on evolution by the network 
designers). This design tries, wherever possible, to dele- 
Pee LOMERG users, “authority and responsibility for those 
decisions best made in the context of their applications. 

All basic systems will consist of a system processor 
containing the three required subprocessors aná a PR process 
state. In addition, the initial basic system must also cor 
Bun a proct process state which serves as the initial root 
of the process tree, defines an initial set of accountable 
objects, and by repeatedly executing or delegating modifica 
tion operators, generates the particular network definition 
desired. 

ine set cf network modification operators, operate 
Sache Gefinition itself and not on the process states. They 
are meta operators and either act as a no-op if the request 
Bor a permissible path of evolution or fault if it is 
not (N4). Such evolution, other than the addition of a new 
system; must be local To the system within which the opera- 
tor was executed (N5), and process designers must be able to 
limit the effects of a such operations to the process exe~ 
cuting them (N6). 


A6.1 - The design of modification operators 
will be Gelegated to subprocessor designers. 
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Modification overators will not introduce 
new modification operators. 


Moe ne initial MELwork definition, the net- 
‘Work designer is responsible for all evolutionary paths, but 
Process G@eslpmers are responsible for selecting which evoiu- 
tionary paths to follow (D6). Modification operators there- 
Pore must be available to the root process, in the initial 
Bu). proviaca, If 10 4S to be able to create the desired 
networks. Since language design has been delegated to sub- 
Besser UeSipiucrs, the design of the modification opera- 
tor themselves, must also be delegated to the subprocessor 
designer. 

The problem of proving that a modification operator 
does nov permit a violation of any of the constraints or 
Besien decisions is greatly simplified if we do not permit 
a modification operator to introduce another modification 
operator. Such operators would require recursive proofs 
which seem to be impractical. The design of the original 
operators seems to present sufficient challenge for the pre- 
sent, 

Dea meeecss lon Af inacecessible objects may 

result Irom meva-operaticns Invoked by impie- 

mentation desipnners because either a subpro- 

cessor hits a bound or there is an implementa- 

fone o SD. rocessors trying to access 

ais ess ole cobieco Will fault, 

The network design is to include bounded computer 


systems (Pl). Problems due to having limited physical re- 


sources which the implementation cannot solve and which 
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en ers | Process state in tho network, must be reflected in 
the process state Structure so process designers may amelior- 
ate the consequences (D5). 

Implementation failures are a special case of the 
boundedness sa Given any implementation, there is some 
probability > wool tad lew the particular probability- being a 
function primarily of the finite physical implementation. 

By increasing the assets available, implementation design- 
could mnedvces the probability of suchetailurmes«. In the 
Dm ua Sech failures could be eliminated „but since no im- 
plementation will have unlimited resources, provision fox 
implementation failures must be included as part of the 
boundedness problem. 

inaiceesss blenOb | ecetsvarcea sufficient solutioneto 
the probiems of implementation failures. When the implementa- 
Peon recognizes a problem which it cannot solve, it will 
mocntiFy the smallest logical unit of the process state 
which contains the damage (this might be the value of a var- 
table or the whole process state itself). The implementation 
will then mark tnis smallest unit as an inaccessible object 
and continue until such time as a subprocessor attempts to 
access that part of the process state. The subprocessor will 
be caused to fault when it attempts to access an inaccessible 
object. This mechanism is sufficient since it does accom- 
plish notification of damage to a process potentially capa- 


ble of doing something to ameliorate the problem. If no 


a, 
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Process ever trites tomaccess the information then no notifi- 
Elon occurs: 

if the design required the implementation to notify 
some process when an inaccessible object occurred, some des 
termination would have to be made of which process to notify, 
Pomona Wien, This probably cannot be properly decided by 
implementation designers since they do not know enough about 
What process designers were trying to accomplish. 

Creatine inaccessible objects within a process stat? 
must be a meta operation to the defined network since the 
decision of when and how to do it must be delegated to the 
implementation designers. It is meta in the sense that the 
Preavton of tre inaccessible objects is not formally defined 
d E Operatorin the network GWefimation. The processes 
Amo? execute an operation and create one, they are created 
only by the implementation. Subprocessor designers must de~ 
fine what their subprocessors will do upon receiving a fault 
May ing ct has atvemptegd To access an Inaccessible object. 

Therezsis nothingerin the desien which"Would prohYosit 
some type of "meta deal" between subprocessor designers and 
implementatiom designers so that an elastic bound fault will 
geeur instead or ereaving an inaccessible object in some 
cases. The operands to an operation might not be destroyed 
until the implementation is sure the operation can complete. 
This would permit the implementation to return things to the 


way they were at the beginning of the operation and return a 
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fault to the’subprocessor saying the cperation would have 
resulted in an "inaccessible object" if completed. Process 
designers might then be able to take care of the probien. 

Although the root process contains an initial set of 
Seeouncable objects, as the network evolves this set may net 
be sufficient. For example, as the network definition is 
modified to permit the system processor to take care of addi- 
wional control noints, process management will want to intro- 
duce into the process states new accountable objects repre- 
Benting those additional control points, Sänce the modifi- 
cation cperators are no-ops and do not modify the process 
res, of additional operator must exist to introduce the 
necessary accountable objects. The designer of the AO sub- 
processor chooses particular representations for accountabie 
objects and therefore must define the operations which intro- 
Gece neweacceunvable objects, althougn some of the operators 
could be delegated to other subprocessor designers under 
Bl. Meta arrangements with the implementer which define 
mappings between accountable objects and particular opera- 
tors in the system processor structure is also the AO de- 
signers responsibility. These are not modification operators 
Since they operate on the process state and not on the system 
mmocessor definivion. 

A7T.1 - Implementation failures affecting the 


accountable object chain may cause ghost pro- 
cesses. 





es 

If damage occurs only to accountable objects, a suf- 
ficient solution is to handle it using the inaccessible ob- 
Hecvmmechani sme Most likely, the designer of the A0 subpro- 
cessor will invoke another meta arrangement with the imple- 
Menvationewhichwwdll permit the implementers to notify the 
AO ES/CP of such damaged accountable objects. The AO sub- 
processor can then be invoked to provide scme services to 
the process to help it solve the problem. Such operations 
are Deranecorssary and,.as part of the AO subprocessor desizn, 
they are not of interest here, 

When part of the accountability chain is destroyed 
but some of the acccuntable objects are not damaged, that 
Bart of the chain relevant to those objects can be recon- 
structed through ghost processes. A ghost process is an in- 
accessible object, except for the AO type ES/CP pair which 
momeains 2a reconstructed accountability chain. It is up to 
the implementation designers to do tne best they can to put 
the chain back together by providing the appropriate informa- 
tion to the AO subprocessor. Since there is a unique name 
for all processes (tree of process names), such reconstruc- 
Clon of the Chain is possibile as long as the accountable 
ect Naaenoeives exists. Ihe design choice here is to re- 
quire the implementers to do the reconstruction wherever 
possible, 

Some of the subprocessor designers may wish to pro- 


vide some services to permit the processes to be notified of 
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DroblemsHwith the accountable object chain, but again, this 
nor NECESSARY. Since pmecesses.smay exist in different 
systems, the mechanism as presented here would still be 
mecessary since the system containing a damaged process 
state might undergo several process steps before the noti- 


fied process is able to act. 


initial System Choices 

This chapter has informally presented the essential 
network features of the designs The constraints and design 
decisions define the members of the set of networks that are 
of interest. Specific selections must now be made to define 
the initial network system from which the desired networks 
Mona tne set may evolve. Although all networks within the 
set are votentially reachable, any particular design might 
timit those reachable by providing an appropriate selection 
Sul: Podirication operators Simeer tne detans.tion of modi í1- 
cation operators has been delegated to the subprocessor de- 
signers, little more will be said about which evolutionary 
paths will be available in any particular network. 

The initial system will not be highly evolved and 
therefore will provide maximum potential for evolution. 
This is good because it encourages the subprocessor desipners 
Dosinelude the peneral meta modification operators which can 
ereaste Unose specific features which might be desirable. 


Below is a list of the structures to be included in the 
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initial network definition and follcwing it will be a dee 


seription of some of the reasons for those particular choices, 


initial System Processor 
A. Service functions - not local to a process. 
Dubprocessor application by priority. 
Message dispatching and delivery. 
Message buffering. 
Start process. 


Modıtrlestıon invocations. 


B2 = SUD processors: 


Type <= AO, GP, PR. 


Ce Process staves, 
(1) Types 
PR process state, 
PR type control-point and expression- 
state. 
Initial root process state, 
AO and GP type expression-state. 
AO and GP type control.-point. 
(2) Control-points 
Subprocessor type static: 
Friegity static; 
Bis -zone Priority; 
LO highest. 


GP =- each unique. 
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Demand DIt., 
AMS SCA CA Wao an arm Div. 


PR = Ior each mOouUWOrikK SYSteMm. 


acknowledre 
for each process in that system 


ba pa 


AG = 3 + N, interface, acknowledge, 
PEDE actor each child 


BP - fixed number - (initial 1). 
Enable bit 


Deliver order bit 


The initial network definition consists of one sys- 
tem processor (containing the AO, GP, and PR subprocessors) 
along with a PR process state and an initial root process 
State (A7). A priority hierarchy of control-points has been 
chosen as the method by which the initial system processor 
wlll determine which subprocessors to apply to a process 
state with more than one demanding ES/CYr pair. Within the 
system, all requesting processes will recsive a subprocessor 
in parallel each process step. The priority mechanism was 
chosen because it is simple, unambiguous, and provides an 
interrupt capability. If our choosing this particular al- 
gorithm becomes a serious constraint on the introduction of 
SaS because of the s£ of modification operators provided, 
it is a constraint which can be tolerated because it al- 
ready provides a greater generality than do most current 


designs. 
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In addition to subprocessor application, there are 
several other services which the system processor will per- 
form, Subprocessors generate messages. but must leave them 
for the system processor to dispatch (an operation not local 
to that process). The same is true cf message delivery. 
Operators must therefore exist in the system processor to 
perform these operations and to do the housekeeping for the 
buffers associated with control=-points, 

The AO subprocessor wiil indicate a process state 
which is validly requesting transmission to another system 
and designate the system to which it is to be sent. The 
system processor will then deliver tne marked process state 
vo the local PR process for transmission to the destination 


System. ‘The PR process wlll then transmit that process 


Y 


tate to the appropriate destination PR control-point buffer, 
The destination PR process will acknowledge receiving either 
the process state or an inaccessible object, prepare the 
state just received to run in the new system, if appropriate, 
Bma@epresent it to tha system processor to start. Since 
A in 4a process is not Local to the PR process state, it 
must be performed by the system processor. 

One last service to be provided by the system proces- 
mnie vo ao cn modification operators. o oubprocessors 
will place in the interface buffers valid modification com- 


mands, The system processor will execute operators to clear 


the buffer during the message dispatching phase. The system 
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processor will undergo modification at the end of the mes- 
Sage dispatching phase (after all operators have completed) 
so that at the beginning of the message delivery phase the 
new system definition will be in effect. This provides a 
Pett —cetined place in the operation of each system processor 
Where the definition change occurs. 

The PR process state will contain only PR type ex- 
pression-states while The initial root process will contain 
both AO and GP type expression-states. Control-points will 
Bene oz che types PR, AO, and GP, and all ES/CP pairs will 
pair control-noints and expression-states of the same type. 
In the initial definition there is no need for more compli- 
cated pairings. 

There will be a fixed number of control-points in 
mre network and additionms to this set will occur only 
through network modification. 

A more dynamic generation of control-point names by 
Eae system processor as partyeof its auxiliary functions 
would have been possible (instead of reauiring modification) 
but this would have unnecessarily complicated the message 
band ling and subprocessor application operations. The trade 
off required for a non-fixed number of control-points is 
added system processor cycles. Iteration is required for 
message updating and subvrocessor application instead of 
the parallel operator application which is possible when the 


number is fixed, 
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Each control-point will be permanently associated 
with one subprocessor type (GP, AO, PR) and will have a 
static position in the priority hierarchy. The static bind- 
ang of subprocessor type and priority to control-point name 
Simplifies the design of subprocessor application operators 
for the initial network definition. These items becone part 
of the control-poínt name thus simplifying representations. 

A priority will be associated with all control-points, 
PR- control-points do not compete with other control-pcints 
Hea Suibprocessors. The AO control-points will nave higher 
Bemorıvy than all other control-pcints in a process so that 
they will interrupt all other ES/CP pairs in that process 


(A6). All AO types may share the same pricrity since ther 


{i 


will only be one such control=point competing in each pro- 
ess State. 

Each GP type control-point will be assigned a unique 
priority. The initial network system will contain only one 
GP type control-point and modification operators will be 
used to generate the desired number of additional GP type 
control- points. An evolved network with multiple GP control- 
mas each vlthea Unique priority, will permit multiple 
GP type ES/CP pairs, having interrupt capabilities, to be 
contained in one process state. 

ASMA O Datewise De asisceraved WIC each control- 
point, Wien 10 is a member of an HS/CP pair, to indicate 


that it 1s demanding a subprocessor. An arm bit will be 


fee 
E 
IND 


associated with each control-point buffer to indicate 
whether or not the system processor should accept a mes- 
sage destined for that buffer. All buffers will have a 
queue Length of one for simplicity. The PR control-point 
wiıl initially a one buffer for the initial root procass 
ana one message acknowledgment buffer. An additional buf~ 
fer will be added each time a new system is added to the 
network definition or a new process is started in that 
system (and deleted when that process is kilisd or moved). 
This will permit maximum freedom of movement of the prosesses 
over the systems in the network, PR control-point buffers 
are always armed. 

neto csnerol-polnt willshave an interface buffer, 
an acknowledgment buffer, a buffer for the parent process, 
and one buffer for each child with which the AO subproces- 
m Can conduct ite interprocess business. An interface 
buffer is ,required, for cach process,,to be used by, the sys- 
tem processor, for message dispatching and delivery. Only 
one jis necessary since the design ensures that the system 
processor will only operate on it when no subprocessor is 
pens applied, and at most one message is generated by that 
Process in a single process step. Since an AD control=-point 
D ats imeach process p the interface buffer can be associ- 
ated with it. The network design puts no limit on the num- 
ber of children a process may have, and they will each have 
an AO type control-point which will need to talk to their 


parent. One buffer is also needed to receive messages from 
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the parent, Such a mechanism is necessary to ensure that 
no accountabie object will be lost because of race con- 
ditions for a singie buffer. AO control-points are always 
armed. 

In the case of both PR and AO control-points there 
will always be at least one buffer which will be coopera- 
tively used to receive acknowledgments. One buffer is suf- 
ficient as long as they transmit only one message at a 
time and wait for the acknowledged receipt of that message, 
due to operational requirements, it is desirable to 
Maweemore than one message in transit at a time, then modif- 
ication operators can be executed to create the desired 
number of additional acknovledgment buffers. 

Fach GP control=point will have a fixed number of 
buffers, not necessarily the same for all control~points. 
The initial definition will include only one buffer with 
ees Single GP type control-point. One*buffer Is necessary 
since we must have an open network (C1). The single buf- 
fer will serve as a destination address to which foreign 
systems can send messages in the initial network. This 
Onil permit messages»to direet the root process to stop or 
Suerte and to inject a program into it which will generate 
mic preperenct weak. Arming GP control-point buffers is the 
responsibility of process management. GP control-point buf- 
fers are automatically disarmed when a process requests to 


move to a different system. 
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Each control-point will have an erable bit to indi- 
cate whether or not a message should be processed to cause 
an interrupt. A message coming in for a eontrol-point 
Maleh is currently emanada 11 nNetwaliecefaiteuntil At 
ceases Gemanding. ‘This permits the subprocessor designer 
to know that there will be no messages to be taken care cf 
before the present sequence of operations are completed and 
the demand bit is turned off. It will be turned back on if 
any messages are pending. PR and AO control-points are ale 
eye enacled, GP control-points will be under GP program 
@enurol by the process designer. 

the last item to be included with each control- 
pont Md bea deliver orde bit: When a control-point 
(with priority high enough to interrupt another ES/CP 
pair and enabled) is in receipt of one or more messages, 
the system processor must decide which message to deliver. 
See the buffers are individually named, a priority can 
be associated with each of them. The system processor can 
then deliver either the highest priority buffered message 
or all such buffered messages for that control-point. No 
reason has been found to choose one delivery method over 
the other so both will be permitted. The deliver order 
bit provides process management control over which method 
will be used. Both AO and PR will always receive multiple 


messages. 
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A problem is introduced when a modification oper- 
ator introduceg a new system into the netrork definition. 
Potentially the new system could send a process to all 
other systems before cach system has the required PR buf- 
fer for the new system. The design must ensure that a 
process not be lost in this way. Since modification oper- 
acors must be executed local to the system being modified 
(N5), a modify operator changing each PR control-point buf- 
fer set must be executed in each system. A PR process there} 
fore will not transmit to any other system until it is in- 
formed by a message from the PR process in each other sys- 
tem, that the buffer has been created. 

The initial network definition as presented above 
weil de formally defined in Appendix C. in addition, 
Sees AC PS not very enligatentnes because of its simplicity, 
Appendix C will also present a two system network defini- 
Cin, With additional process states and control~points To 


illustrate better the network design. 





For the designer of advanced informa- 
tion systems, a vital requirement of any 
operating system is that it allows him to 
nace mode 01 operation it Controls; 
otherwise his freedom of design can be ser- 
iousiy limited. (Per Brinch Hansen (ed.) = 
Hae | tage pa 13) 


CHAPTER 4 


SYSTEM COMPARISONS 


Summary of Network Structures 

Many features of the design presented in this thesi 
nave been used in other dGesiens. The usefulness of this d2- 
sign arises chiefly because of its organization which pro- 
vides process state structures end defines operations on 
these structures which permits the delegation of authority 
and responsibility over process behavior to the appropriate 
interacting agent. Most contemporary operating system pro- 
blems are thus either circumvented or solved with only mini- 
mai cone mantos beins placea on the users. The generality 
of our network makes it a useful model for studying other 
system designs. This section will summarize the relevant 
Braperiieszurnichssunetwerk, as deseribed in chapter three, 
mould peCesemge. “The next sectieonmywillediscuss, and compare 
with our network, two systems which use a hierarchial pro- 


cess structure (RC4000 and TENEX) and one general network 
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(ARPA). The final two sections of this chapter will discuss 
on summer veseerch, ana summarize What this thesis has 
accomplished along with some of the benefits to be gained 
Brom Lt. 

The previous chapters presented the design of a logi- 
cal network which will support well-defined processes. If 
the processes were not well-defined, investigation into the 
Properties of the network and the processes it will support 
Weed be difficult, if not impossible. The whole design 
must be weli-defined if useful services and facilities are 
to be developed. If the network is not well-defined, guar- 
ameeing its present logical properties would be difficult. 

The initial design cannot be expected to include all 
future concepts; therefore it must be designed so some of the 
design responsibilities can be delegated to future designers. 
Users must be delegated responsibility for the control of 
process behavior. The network designer cannot hone to fore- 
cast what all potential users of the network will want to do 
or what alporithms will be necessary to manage the processes 
they create, Only the users know what they expect their 
processes to do. For the delegation of design responsibili-~ 
ties to be successful, the processing components (network, 
system, subprocessor), and interactions between them and 
mre pTrOoctcoces Tumias on the network must be clearly defined. 
The delegation of responsibility for the control of process 


behavior is only possible if process, process state, and 
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process step are cleariy understood, along with intraprocess 
and interprocess interactions. Since processes may attempt 
to become uncooperative, the network must provide to the 
Meer facilities for the management. of such processes. If 
interesting options are to be developed, general pro- 
cess state structures and transformations on these struc- 
tures must be provided. If any significant software stabil- 
icy is to*éxist, the design must be machine and technology 
independent. 

A network is defined as a set of asynchronous (no 
definition of the relative speeds at which the systems are 
Carrying out their operations) interacting digital systems. 
Interactions between them are possible only using broadcast 
messages (message transmission occurs without regard for the 
state of the destination system, as with asynchronous inter-~ 
rit Se) . 

The logical network that a user will see is being de- 
Signed here, not the physical systems upon which the Gefini- 
ron will be implemented. For example, since the design 
does not constrain the relative speeds of the network sys- 
tems Nor how messages are physically moved from one system 
to another, the implementer is free to use whatever tech- 
nloues and proteeslsı are @esirable,. What physically happens 
between the time when one logical system transmits a message 
ana wae othem logical systememeceiveseity or how long the 


procedure takes is the implementer's business and not part 
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of the network design. 

Dealing with logically asynehronous systems has the 
advantage that individual system designers and implementers 
ooa mot bhe concerned with what other systems are doing ex- 
capta for the asynchronous Comyn cations On the other hand, 
if the users want logical synchronization between processes 
meine Ol different systems in the network, they must ac- 
Geppiish it using asynchronous interprocesses communications, 
rather than by relying on synchronization of the steps of 
the systems (intersystem lockstep is not defined in the net- 
work). 

The operations of each network system are carried out 
eee Syolemeprocessor which includes a set of subprocesors 
that carry out transformations on the expression-states with- 
in a process state, System processor execution takes place 
cias pneses: subprocessor allocation, subprocessor 
Application and message dispatching. Zach process in the 
network has a single process state (contained in one system 
at a time) and is said to undergo one process step each time 
a subprocessor is applied to that state. A procsss sten be- 
comes the only invariant measure of "time" in the network. 

The system processor will use information contained 
Poe ess state CO apply subprocessors, but will apply 
omy One subprocessor to a process state each process step. 
Since only one system processor has access to a process 


state at a time, subprocessor application becomes an opera- 
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mon Local to that system. 

Subprocessor desifmers do not have to be concerned 
wich rsee conditions due to simultaneous access to a process 
re because only one subprocessor is applied to it each 
process step. The design of subprocessor operations which 

equire more than one process step, must still solve race 
Peas... IMctercupts might occur between. process steps, 
Causing a different subprocessor to be applied, or the same 
Susprocessor to be applied to a different part of the process 
State. If process designers choose to permit interrupts, 
they must take the appropriate actions to ensure that the 
Securrence of an interrupt does not have an Improper efrec® 
on the process. 

Each process state is composed of a set of typed 2x-- 
pression-states (ES), some of which may be paired with cone 
mel points (CP) to form ES/CP pairs. <All transformations 
local to a process state are carried out by the subproces- 
sors. An operation is local to a process state if the pro- 
cess state contains all of the information necessary for the 
operation and if the effects of the transformation are con= 
tained in that same process state. Expression-states con- 
Vain all of the information necessary for subprocessor 
Operation. All operations which are not’ local to a process 
State are carricea out by the system processor using informa- 
tion associated with the control-points, 


The system processor only accesses control-point 
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information and not information in expression states, there- 
fore the internal structure of expression-states can be made 
subprocessor dependent. Certain expression=-states may be 
interpretable by only a subset of the subprocessors in the 
network. Subprocessors are constrained from arbitrarily 
accessing a type of expression-state other than their own. 
If a subprocessor designer wishes for it to have access to 
another expression-state type, then the subprocessor must 
be designed to abide by the conventions laid down by the 
designer of the other expression=state. 

Dien -econudapant of an So/CP.nair is a control- point. 
A eontrol-point has associated with it the information 
necessary for subprocessor application (type of subproces- 
sor to be applied, priority, demand bit) and interprocess 
communication (unique name, destination buffers with arm 
bits, enable bit). Control-points provide a common inter- 
face for interaction between subprocessors and the system 
BReocessor. 

Process designers use the demand bit to request that 
a subprocessor be applicd to that ES/CP pair. It may be set 
locally by a subprocessor onerating on the containing pro- 
cess state or because of the receipt of a message destincoa 
for thatecentrelnointes If mere than one JBSX4eP pelr has 
Ie Mana bitzon, chezsystem processor uses the priority 
associated with each control-point (priority assignment is 


static and arranged so no intraprocess conflicts can occur) 
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to determine which pair should cause a subprocessor to be 
applied, and then uses that pair's control-point to deter- 
mine which subprocessor to apply. 

Control-points are recognizable by all system pro- 
Gesoors so that it is possible to move a process from one 
system to another without concern over how to cause sub- 
processors to be applied. (Note: All systems are not re- 
fered to contain all subprocessors, each system processor 
epplies only those it knows about.) The user is thus free 
to move a process from one system to another to gain access 
ms pecial subprocessors. 

Interrupts and faults are clearly distinguishable 
in the desien. An interrupt occurs within a process De- 
cause the demand bit of a higher priority control-point was 
turned on. Such oceurrences only affect the decision of 
which subprocessor to apply on the next process step and 
qo not cause pre-emption of a subprocessor executing a pro- 
Geosceovéep. Faults, on the other hand, occur during a pro- 
cess step and cause an executing subprocessor to change its 
program interpretation sequence. Faults have no direct 
Sueco Oonmunich subprocessor will be applied on the next 
process step. 

oingle interprocess messages are generated by sub= 
peoecco some maUminiguule SUbDprocesSsor application phase of the 
System processor. They are placed in the interface buffer 


along with a destination address (CP name, buffer name). 
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in? cae message dispatching nhasey the system processor 
will remove the messape and transmit it. The destination 
system (containing the process state with the destination 
cp in it) will look at the appropriate buffer (a static 
number are associated with each control-point and are named 
individually) to see if it is armed. If the buffer is armed, 
the message will be buffered (overwriting any previous 
message) and if not armed the message will be disregarded. 

Also associated with each control-point is an enable 
bit which enables sending messages to cause an interrupt. 
If the control-point is enabled and of appropriate prior- 
Buy che system processor will place a pendingi message in 
the interface buffer on the message delivery phase and apply 
the appropriate subprocessor on the subprocessor application 
phases 

Since control=point names are unique and serve as 
T Cination addresses for messages, itis not necessary for 
the sender to know either the system in which the destina- 
tion process resídes or even the process itself. Processes 
can thus be moved between systems without a need to arrange 
ame Y eonun cation link. The control-jpoint itself could 
even be moved to a different process without a transmitting 
process knowing the difference. 

The relationship between the processes in the net- 
work looks like a tree and defines their hlerarchy of 


responsibility and control over descendent processes which 


134 
may be distributed arbitrarily over the network. Each net= 
work system will have an AO subprocessor (identical in all 
systems) which will account for certain objects, and enforce 
oso rictions placed on them; each process will contain an 
ES/CP pair upon which the AO subprocessor operates. The 
AO control-point always has the highest priority in the 
process which makes it impossible for the AO services in a 
Process to be uncooperative with its parent. The AO sub- 
Processor cannot be locked out since a message to the AO 
ES/CP pair will always interrupt all other pairs in that 
Process. 

All accountable objects will be maintained in the 
AO expression state. This gives the AO stbvrocessor de- 
Signer control over the mechanisms used to access them. 
Some of the accountable objects may represent rignts to 
Geri Ouvweecrtein operations. Each control-point is en 
accountable object. This permits a parent to control which 
subprocessors a child can use since subprocessor types is 
associated with the control-point. <A parent can control a 
entla's message transmission capability by rights to trans- 
mit to particular control-point buffers. Rights to move a 
process or execute a particular subprocessor operator may 
Cecomoc sic hide. In addition to rights, accountable objects 
may contain logical objects such as files. The set of ac- 
countable objects can he thought of as representing the 


logical capabilities of a process. 
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adan, len to Gage AO subprocessor, there will be at 

least two other subprocessors (GP, PR) contained in each 
System. The GP will provide general programming services 
and access to all the initial network services by interpret- 
ing a common language. Without one such common subprocessor 
in the network, process intersystem movement might not be 
very useful. 

Ihe PR will provide process state receipt, transmis- 
sion, and creation services in each system. Communication 
between the processes in the network and systems forcign 
to the network is also permitted using normal interprocess 
communication mechanisms. The set of accountable objects 
Pay econtain rights to transmit. to control-points which 
Ens Only in foreign systems, and certain control-points 
Will be permitted to have buffers to which only foreign 
systems transmit. Ne special mechanisms are required to ver- 


mit a process to interact freely with some outside agent. 


Use as a Model 

The network was designed to be general in the sense 
that it contains the concepts of most other systems. This 
section will model three current systems using the desipned 
network to show that such models exist and to relate the 
three system structures, These systems do not completely 
meet our needs (they were designed for different goals). 
TENEX (BB71) and the RCH000 (Ha 70, Ha 71a) system will be 


described first, as examples of systems which give users the 
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ability to create and control a "process" hierarchy. The 
ARPA network (CC 70, CH 72, TH 72) will be used as an ex- 
ample of a distributive network composed of different types 
computers, 

TENEX is a time-sharing system implemented on an 
Me nosa DEC PDP=10, It is the logical structure as seen 
by the user that is to be modeled, not the implementation 
of it, Three examples of the many alternative ways that 
TENEX could be described in our terms are shown in Figures 
2,2 and 3. Boxes in the Figures represent our asynchronous 
meeweins, Circics Fepresent our process state, and the lines 
Joining them represent the process hierarchy. In Fig. 3 
each set of parentheses represents an exprssslon»=state., 
We might first describe TENEX as a process tree distributed 
over a set of asynchronous systems, each system (box) con- 
taining one process (circle). (Fig. 1). Since we would 
maons havc oniy one process in each system ana since TENEX 
processes have no well-defined structure below process state 
(like our expression state), we would need no structure be- 
low the system process and would consider the user process 
to be the system process as well. The Monitor (running on 
the real system) can be thought of as the root process of 
a single process tree, The monitor process creates an 
asynchronous command system with an EXEC process in it for 
NEO ea tnen serves as the top of that job's 


Pee sont oo ss WeewOould not consider this system a TENEX 
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virtual system since from the user's point of view it inter- 
prets the command Language and not the language of the TENEX 
virtual machine. For each job process below the EXEC we 
would create a system containing a TENEX subprocessor. 

Model one puts each TENEX process in a separate 
asynchronous system. In model two the whole process tree 
is contained in one system with each TENEX process being 
ap resensed by one of or processes, whtle™in model three 
the whole process tree has been collapsed into one process, 
en tthe. process being represented as One expression 
State. Three subprocessors (schedule, command, 'TENEX) are 


contained in the single system in models two and three, in~ 


bas 


stdad of one subprocessor for each system as in model one. 
ie Mienic appear that the multisystem model of TENEX 
is better than the other two since it maps each TENEX vir- 
tual system onto one of our asynchronous systems. Although 
this may be the appearance they wished the system to have, 
in fact it is not what exists. This model completely hides 
the presence of the time-sharing algorithm (we say nothing 
about the relative speed of asynehrcnous systems) and the 
sharing of memory by TENEX virtual systems (our asynchronous 
systems do not logically share memorv). 
In the first and second models we can explicitly 

Pep, eCseciurvie vame—-sharine algorivhm by the introduction of 


an extra ES/CP pair (highest priority) in each process and 


a time-sharing process at the top of the process tree to 
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receive clock Signals and monitor messapes for controlling 
the schedule, The T/S process would interrupt the executing 
process ny sending a message to the extra pair. ‘The Messe e 
could include the next process to run so that as Soon as the 
demand bits and enable bits for any control-points in the 
Process had been turned off, the extra pair would send a 
messape to the extra pair in the next brocess to run, 

One way of representing shared space in models one 
and two is to epresent all space shared by TENEX processes 
as an object message and transmit it along with the wakeup 
message. This is a good model in the sense ble tomate Espia c 0 y 
ties shared memory to access to a subprocessor, but 1t hides 
the relationships between the processes dola tha sarin’. 
Model three not only can represent the time Sharing algo- 
rithm but also the sharing of space. The T/S pair would 
receive the monitor and Clock information and manipulate 
the control-points associated with the TENEX processes to 
execute the scheduling. Since expression states within our 
brocesses are permitted to share address Space and the sys- 
tem processor applies only one subprocessor at a time to a 
process state, model three provides an exact Depreseontcäaulon 
of TENEX in our Cermak 

E E three models the TENEX "pseudo" inter- 
rupt, as they call m0 comi be represented either as an in- 
terrupt or as a SU eos Sd our interrupt mechanism, 


“e would say that each TENEX process has two control-points 
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associated with it. A higher Priorivy conc rolspoint geuld 
Meerrupt the process when pseudo-interrupt messages were 
received from the monitor. The lower priority control- 
int Wars ear he normal processing, inciudine 
the receipt of wakeup messages after certain monitor calls. 

The alternative is to describe each TENEX process 
with only cne control-point, representing the pseudo-inter- 
rupts as faults delivered by the implementation to the sub- 
Bmocessor being applied. The interrupt models nicely the 
fact that certain of the events are truly asynchronous with 
respect to a processes execution (from terminals, other 
processes) but the fault models nicely those events which 
are a result of a local execution (arithmetic). Since the 
TENEX virtual machine does not clearly distinguish between 
interrupts and faults as we have in our system, either 
Salmon Would be sufficient as a model of TENEX, In all 
Uo e models using the interrupt mechanism, a Merarchial 
Subprocessor application scheme would be used to determine 
hen to apply themsubprocessors to the proeess states. 

There are almost no accountable objects manipulated 
by gob processes ineTENEX since thestime-sharing implemen- 
tation attempts to allocate to each TENEX process its "fair 
share” of physical resources. A major difference between 
TENEX and our system is that we have introduced accountable 
objects and the AO subprocessor to provide a mechanism for 


asparenuemuscess to use if it Wishes to allocate some of its 
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accountable object to its children while maintaining con- 
trol over the use of them. The ability to receive pseudo- 
interrupts in TENEX can be thought of as an accountable ob-— 
Ject in the sense that a parent has the right to field in- 
terrupts for its children. One of the major consequences 
of not having accountable objects is that TENEX is not 
Sally able to Support a hierarchy of operating systems. 

There are several features of our network which are 
Hep present in TENEX. The TENEX virtual machine is as Com- 
Diesen s®theilr concept of system can pet and in it there is 
Mo concept of lockstep process transformations which we get 
Whacrmmultiple processes reside in one of our Systems.  TENEX 
also dees not have the complex process states we can con 
Struct using multiple expression states (Model 3). The 
authors of' "TENEX, a paged time sharing system for the 
PDP-10" (BB 71) use, as an example to illustrate the useful- 
ness of TENEX's structur Sy àa program wishing to wait for 
terminal input but only for a specified length of time. Two 
Precesses sane created, one waiting for the Di ond one 
waiting for the timer. Ve could solve this same problem 
Une two ES/CP pairs within the same process rather than 
two processes, ‘The Process could even be doing some addi- 
Clonal processing using a third lower priority ES/CP pair 
and still be interrupted when either of the two events OC- 
curred, 


Whereas we can model their system with its time- 


ie alporichm, Chey could not hide the fact that they 


en 


are a time sharing system if they were to try and model our 
system. The TENIEX structures are designed for single sys- 
tem interprocess interactions. Even these are highly con- 
Strained between jobs in the same system, whereas our normal 
interprocess communication structures are the same no matter 
what the residence of the processes carrying out the inter-- 
eer. on., Since our processes are free to move between sys- 
tems in the network, we have not permitted processes to 
share address space except througn explicit transfer of the 
information (by the process not the system). With respect 
to our goals, TENEX is most iacking in the facilities pro- 
vided for user management of potentially uncooperative pro- 
cesses. 

Tne RCHOOC multiprogramming system developed by Re- 
pencentralen was designed to "be extended with a hierarchy 
of operatin: systems. .." (lla 70). Resources are allocated 
recursively by a parent process to its children. The RC4000 
system can be represented in our design as a single system 
Containing onesprocess state, sdmilar to the third TENEX 
model (Fig. 3). Instead of the three subprocessors in the 
TENEX model we can describe the RC4#000 system with only one. 
The single process state will be composed of a scheduling 
expression-state and one expression-state for each RCH000 


Paweess @errem.ly Pesiding in .@tre. 


Since expression-states may share address space, the 
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decision to model the RCH000 system with one pr@eess state 
permits us to model explicitly the potential överlapro fad- 
dressing capabilities between RCHO0O processes in core at 
any given time (keyed access is used). Those RC4000 pro- 
cesses which ae currently stopped would exist as data ob- 
fects in the expression-state representing their parent 
Process, This is the way the RCHOO9 system permits a parent 
to deal with them, 

Our model would associate a control-point with each 
expressionestate (RC1000 process), plus one attached to tha 
Scheduling expression-state which would have the highest 
priority. The association of a control-point with the ex- 
Pressian»states representing RC4000 processes is Mecessary 
Since each process may have messages directed to it hy other 
Drocesses in the system. Each Rcelooo PYocessnecds ion 
one control-point associated with it since there is no con- 
cept of our interrupt in their system, as the user sees it, 
Meir internal interrupts are represented byour Faults” 
"Wait" operations control RCHO00 process execution by turn- 
ing off the demand bit associated with the single control-- 
point. After completion of the operation, the scheduler 
turns on the demand bit and execution continues where it had 
left off before the wait. It is this simple behavior of 
the RC/4000 process that permits us to represent it as a 
single expression-state with one control-point attached. 


If we knew that the address Siac CS oh all RCHO00O0 
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Process were disjoint, then we would represent each one of 
them by one of our processes containing one AO expression- 
state and one processing expression-state, The AO expres- 
Slon-state would perform the parentts breakpoint operations, 
insure that resources WE eras abod properly, and perform 
the scheduling function as discussed in the TENEX model, 

There are tuo additional ways we might represent 
shared space in our models and still use multiple process 
states without sending a shared space object along with 
the Scheduling, message as was done in the TENEX model. te 
Could consider the shared Space to be maintained by either 
a "shared space" process or foreign system, and have the 
Sharing processes communicate their requests to these 
agents. Although this would adequately simulate the ef- 
fects of shared space, it would introduce the artifice of 
using interprocess interactions to accomplish it. 

Ihe implementation of memory sharing mechanisms us- 
ually involves either a foreign system (shared memory mod- 
ules with conflict resolution on requests) or the process 
mechanism (monitor calls which insure that only one process 
at a time accesses the information). These models, of 
course, are simply models of low level system structures 
for normal hardware systems. A machine independent virtual 
System structure must not DE Search Tó level 


details: 


"P & V" operations can be modeled nicely using 
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either of these mechanisms, aithough in our system we couid 
Monde more control over the sharing since the process 
address spaces would be disjoint and we could prevent in- 
varia Servers ie oure niece! sulricrentvweontrol over this 
potentially uncooperative behavior could be achieved by 
pworieci.viy defining the shared space process to supply the 
information properly even if the P & V operaticns were not 
Mesa.  Uncooperative processes cannot be prevented from 
accessing shared space by using only cooperative "P & V" 
operations. This mechanism is thus useful but not suffi- 
rene for process control., 

There are two important differences between the 
RC4000 system and TENEX with respect to their treatments of 
resources and interprocess messages. The RCIH000 system 
makes explicit use of recursive resource allocation. Part 
Ia procedure for creating a child process involves te 
explicit allocation of some of the parent's resources (al- 
ways a subset). A TENEX process can control the execution 
Ina tence obits children, and field pseudo-interrupts 
Torsshemgebut ite@does notespecificabky allocate resources 
to them. All TENEX resource allocation is based on a "fair 
share" algorithm built into the implementation. 

In our single process model of the RC/000, the re- 
source allocation would be represented by creating the 
child expression-state with access to objects representing 


the proper allocation of resources, In our multiprocess 
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model, each process (representing a RC4000 process) would 
maintain che information about that process's allocation of 
Meseurces in the AO expression-stäte, which we use for our 
Pecural. VE allocation of accountable objects. 

In both the RC/000 system and our system, a parent 
Maegeeos recurestver:y allocates subservs of what it has, but 
there are several important differences between the mechan- 
isms used. Our accountable objects are explicitly maintained 
ina reliable expression-state in each process and we pro- 
vide a common subprocessor in each system to operate on that 
expression-state. By including the accountable object in- 
ation as part of the process state, it automatically 
Mes Wath the process. A transmitting system does not have 
to send an additicnal message to the receiving, system con- 
Cemming all of the accountable objects and information 
Meccssary tor their accounting and protection. The common 
subprocessor reduces the complexity of each system processor 
and assures that each system will invariantly handle ac- 
countable objects. In contrast, the RC/4000 monitor main- 
tains the resource information and performs the operations 
on this information. The RC4000 system does not need to 
Peepecie resoupce Information Local to the process state 
Since thelr processes do not move between systems. A spe- 
Cfo suoprocessor is not really necessary since the resource 
function can easily be incorporated into the monitor without 


adding, unnecessary complexity. RC4000 resources are not 
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really pre-emptible, other than by killing the child, and 
Separent "annou explicitly attach access restrictions to 
their use. A RCHO00 process is created with a given set 
Of resources and uses them at its discretion. 

eos communication is handled differently 
in the RCYOCO system and TENEX. TENEX uses their pseudo- 
interrupt and a shared address snace, but restricts such 
imeemactions to the processes of one job. An advantage of 
the TENEX mechanism is that the pseudo-interrupt permits a 
process to be told a message is pending, whereas the RC4000 
System requires a process to ask for the message and if it 
is not there, go to sleep. The RC4000 system uses message 
buffers (a resource not part of a shared address space) and 
Permits 2a process to communicate with any process it knows 
about. The advantage of the RC4000 mechanism over TENEX ¿is 
that it does not require shared space; more than one message 
can be sent at a time; and no restriction is placed on how 
many different processes can be transmitting to one receiv-- 
ini process. 

Our communication mechanisms have an interrupt abili- 
ty and do not use shared space, We associate multiple buf-- 
fers With a destination control-point and consider the right 
to transmit to a particular one of these buffers as the 
a@eountable object, not the buffer itself. We thus control 
the right to transmit to a particular destination while they 


Only control the means of communication and not who can be 





Po 
talked to, 

Although both TENEX and the RC4000 systems are mono- 
pRocessoresystems, the system structure they use could be 
‘extended to a multi-processor level. Appropriate subpro- 

m cOMeappiscation rules would have to be instituted and ail 
Primitive operators implemented so they would leave the user 
peocesses well-defined, regardiess of the number of suboro-- 
@eeoors Operating concurrently in the system. Most of the 
difficulties to be faced would arise because the user pro- 
Usos can share space and because of system race conditions 
for process state information. These are basic problems 
Mat drastically effect the structure and efficiency of such 
an extension. ‘The extension to a network or system would he 
very difficult and would severely constrain user management 
T oec, In cur Gystem, proeess states are disjcimt, 
Gul eonewsubprecessorm is applied to a process state each 
process steps and external winkeractions with a process do 
Meo ocour during a process step. Subprocessor designers 
therefore do not have to be concerned with resolving race 
conditions for shared access since it never occurs. 

Lemire ortberivy look at computer networks. The 
most degenerate form of our network structures would be 
achieved by connecting a set of systems together without 
defining their system structures ar placing restrictions 
Cit iei elmer aculons, other than with which other systems 


they can communicate. Such a network would be defined as 
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a set of autonomous interacting foreign systems. The net- 
work designers can say very little about the processes run- 
mee in such a network. Only the set of systems with which 
emp rocess can communicate Morera mweC new,  Neverthekesa, 
this degenerate network is a good model for the ARPA Com- 
puter Network (ARPANET). 

ARPANET provides "for the interconnection, via 
wemmon—Carrier circuits, of dissimilar computers at wide~ 
ly separated" centers (OH 72). Protocols (agreements on 
the format and relative sequences of messapes to be ex- 
changed) were designed as a layered hierarchy so each level 
does not have to be concerned with the intricacies of the 
lower levels (CH 72). The lowest level cf the hierarchy 
is the message exchange between the Interface Message Pro- 
Cecsesors (iMPs), and the highest level is the user process 
tO process communication. 

contras wien Che degenerate network above, we 
Cam model the ARPANET IMPs as a network whose processes 
interact with a set of foreign systems (HOSTs). The IMP 
Peeecoocs are Gully defined by the network designers, the 
Users Nave notning to say about them. Although it would be 
possible for us to model the whole ARPANET at any one of the 
above levels, it is only the higher level we wish to model 
here, In our terms, the ARPANET HOSTs can be modeled as a 
set of foreign systems supporting interacting user processes, 


In order to understand the behavior of any pair of these 
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processes, we must model each foreign system USOS Scion, 
to the application of subprocessors. Those HOS s Operating 
under TENEX could be modeled using one of the models above. 
Similar modeis could be developed for each HOST. Since the 
Process structure of HOSTs are not constrained, existing 
ones can be changed and new HOSTs with new process struc- 
tures can be added to the network. Process behavior can 
thus be defined only locally to each system according: to 
Current structures. 

In the ARPANET, process behavior is dependent on 
System residence, There is no standard concept of process 
Step or interrupt since there is no standard system pro- 
cessor. The lack of standard structure requires independent 
Study of each system model if there is a need to understand 
their behavior. Although this is Simplifying from the im- 
plementers! point of Vine Via is ene Particularly useful 
from the users! point of vlew. In order for a user to take 
advantage of the asynchronous systems to construct an asyn- 
chronous multiprocess computation, the structures of each 
systen to be used must be clearly understood, and local 
rules and conventions must Do used to desipm and manage each 
process., 

The ARPANET assumes no responsibility towards inter- 
acting processes other than providing the communication link 
to each operating system, just as our design assunes no re- 


sponsibilitics towards a process in a foreign system. There 
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are no ARPANET structures which Permit amuser to Institute 
remote constraints on process behavior, and no notion of the 
RE4000 resource Or our accountable objects, Processes in 
separate systems may communicate, but delegation of re- 
sponsibility and authority between them must be purely co- 
Operative and subject to local HOST constraints. 

The ARPANET provides five interprocess communication 
Primitives in each HOST system interface. These TAO 
PS HOST operating systems, interactions between processes 
residing in different HOSTs. Since there is no standard 
concept of either System or process, a user must understand 
each local definition before constructine®e multisystem con- 


putation. The effect Of using these primitives becomes 


be 


highly system Sensi) ve, 

Each ARPANET HOST has a set of send and receive 
Sockets whose names have three parts: user TUD e OST 
number; and AEN (a seven bit number plus one bit for send 
or receive). Socket names are thus unique throughout the 
network while providing a pool of sockets for each user at 
each HOST. In order to use these sockets, a process must 
interface with its local Network Control Program (NCP), 
which acts on its behalf to establish, break, and switch 
Connections, Once a particular connection between two soc- 
kets has been made, the process is free to communicate using 
that connection until Lt is broken, 


The ARPANET desipners used the fairly static connec- 
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tion mechanisn because they Telt that processes would con- 
duct: prolonged conversations and not one shot AS QUeSS ts” Ayu 
though the NCP ensures that the process requesting use of a 
Particular socket to make a connection has the same user 
number as the socket, once that connection has been made it 
15 possible to move the connection to a process running under 
a different user number. This, at least, means that no other 
user may uncooperatively exhaust another user's ¡A 
l is; although the processes under one user number mus t 

still be cooperative in their use of sockets to make connec- 
tlons. There is also no mechanism, other than Cooperation, 
by which a user may control the use of a connection once it 
has been made, 

Thomas and Henderson (TH 72) describe a major disad. 
vantage of the ARPANET connection mechanism as requiring a 
Process to know the socket number that the other process 
Will be using for its end of the connection before Cher con 
nection can be made, This implies knowledge of which HOST 
the process will be in and the user number under which it 
will be running as well as the particular AEN to be used, 

In our CG edie 3 control--points' name Serves as the destina- 
tion address, but although the name is unique, it is not 
bound to a particular system or user. Both the control- 
Polis themselves, A 6 transmit to Particular 
buffers associated with control-points are accountable ob- 


Jects and therefore recursively managed by the Process 


ID 
hierarchy. Our design alss leaves the actual making of a 
connection up to the implementers. If a process has the 
eee tO transmit to a particular control-point buffer, it 
can send a message without becoming, involved with making 
The connection. 

since all system processors in our network use a 

nero concept of process step, interrupt, message deliv- 
Seana Standard operations on control=point, the user vis 
Peeyecded With & consistent concept of process and process 
even ana a standard way to use the services of the network. 
Po ARPANET user must be prepared to create all processes 
local to the system in which they are to run since different 
HOSTs may have different process structures and intersvsten 
Paeeceso mipration may not be possible. Our design, on the 
weer Nan provi desecxpiicitlyefor intersystem process 
movement and provides for at least one common subprocessor 
(GP) which will interpret a general language and provide all 
inet lal network services. This; of course; does not ensure 
veo a process, using subprocessors other than those common 
to all systems, will run in any system to which it is moved. 
A user thus has an alternative to creating a different pro- 
cess in each system and exchanging control and data informa- 
tion between processes. A user can create a "multi-lingual" 
Puece oo rls ombice Ce GubprPocessom for common services, and 
NONE precesce trom system to system to access special 


Subprocessous. 
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The discussion here was intended to show how the user- 
level protocols compare with TENEX, RC4000 and our system. 
It should be noted that we could conveniently use these 
ARPANET protocols to implement our system structures at each 
HOST. Our eysten would thus become one more level of proto- 
D in the ARBANET hierarchy. ARPANET deficiencies largely 


arise from the attempt to use such an implementation struc- 


Cure in place of che virtual network that is really required. 


Further Work 

It woulda be conceivable to answer questions concern- 
ing the generality of the postulated constraints by extend- 
ing this work in several directions. One of the first ex- 
tensions which comes to mind is to include not only systems 
ma orente ol our network, but also Other networks, giv- 
ing us structured nodes end a hierarchy of networks. Ques- 


4 


tions concerning the relationships between processes in the 
Various levels of this hierarchy could be investigated. The 
systems in one network level might be considered to be for- 
IS SES GO Che processes in all other levels, or per- 
Naps a logical interface process should be provided ,through 
which connections between networks are maintained. Re- 

eee moat ty Ge aublorlivy problems belin vo surface again, 
Vee ern tie Cie os Of processes Jn cne netiiork with 
POSO: Tosen areas aamodiflcations and manipulations of 


MeCOUGUaID © oo ,ec:s (Gledbal vs. local rights). 


25 
The sufficiency of our constraints and the correct- 


“e design decisions when Pame ana contínuous 


et 
a, 
SS O 


Cy 


(analogue) processes are added to the system is also iim necd 
of inve stigation. Does our design remain invariant when 
used for these Processes, and what can be saiad about process 
behavior? In the case of real time processes, the process 
State structures probably are not effected but the relative 
Speeds of systems will effect real time PFCCESS performance. 


In the case of continucus processes, any investigation must 


first define what is meant by continvous processes, how to 
represent them, and how to combine continuous and Ge eee 


Processes into one model, 
The esim in this thesis must be extended to mived ude 
the subprocessors and thelr modification operators, before 


ce 
at, 


dE eat Cha hones youl es be produced. The G Subprocessor 
is to be a brogrammable subprocessor connon to all systems 
and must provide all initial network services within a 
iyramework of a general language. The design of the AO sub- 
Processor must include investigations into Classifications 
Or accountable objects, operators for Mai accounting and 
maintenance, and the effects of process birth. emus cic 
intersysten Movement on them, Investirations into network 
MOAL Cation operators must be continued to dotermi ne the 
forms they may take and the freedens ich can be berni tye 


Lor modifications, including modifications which ara not 


just auementetions, 
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Implementation questions which can 


pal 


There are severa 
be pursued based on this design. We can exploit our knowe 
ledge or the system to study the optimization of an imple- 
mentation, Once a prototype implementation exists we can 
monitor the process behavior at both subprocessor primitive 
level and the system processor operator level to improve our 
implementation. We can then study independent of any par- 
ticular Implementation, ihe question of practicai machine 
design including buffering and efficiency along with sub- 
Processor augmentation, program type objects, and special 
Subprocessors, 

Im acd. t1on to studying implementaticn questions we 
Can abstractly study the properties of our formal defini- 


tion. A parallel effort is being pursued (Jo 73) which is 


E 
+ 


Ss ‚ions that certain fea- 


+ 
d. 


fo 
Ç 


intended to derive and prove 


y 


wures Of the state languages of systems (using the defini- 
tion system in FH 71) remain invariant to transformation 
under that system processor. We wiil then be able to use 
these mechanisms to investigate the formal definition On Ou 
network and the processes it Supports. We would hope, by 
studying the network definition itself, to verify and even 
formally certify our design from the point of view that cer- 
tain of the designed system process state structures are 
proven to be invarlant under the transformations carried out 


by the system processors. Our design has been "debugged" by 


test cases, using an interpreter for the formal definition 


system, but this testing alone cannot ba sufficient to certi- 


m 


fy that these invariances remain so under all transformation, 

Once the network exists, it is clear that not all 
users will be permitted or even will want to use the TULL 
ext bility iets Structures, Investigations will be 
needed to determine what user operating environments should 
be created by using appropriate processes in the process 
tree and distributed over the network systems, Using -the 
hierarchy we can investigate distributed Voa Central cone 
trol, and various levels OF user freedoms. We can thus 
Study concepts of' logical operating System structures and 
commonly desired services, Our network provides an operate 
ing system implementation language for such studies, 

One final area of investigation is the development 
Of application tools including the various ames lion lane 
Buages which should be provided in a network, We vould ile 
to develop a translator-compiler (written in the GP language) 
to take some of these languages anā generate translators for 
them, whose output is the language interpreted ANA Tike 
would permit such processes to be system independent since 
each system has a GP. We would also líke to develop certain 
special purpose applications such as distributed data base 
and management information system, and user process heir- 
erchles which interact with special. purpose foreipn systens, 

several of the above items are currently being in- 


vestigated. The initial design of the GP Subprocessor has 
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been completed (Fi (ovr ane an implementation of it Slcus 
written in a common s bset of FORTRAN IV. A Nes TS 
(Co 73) is under preparation to complete the Cesta or the 
AO Subprocessor and another student is investigating modi ~ 
fication operators (Pa 73), A single physical system imple- 
mentation of one logical system is in progress which will 
then be duplicated within that physical system to give us 
multiple logical Systems. A movenent to a multiple physical 
System implementation of the multiple logical system will DE 
attenpted dependent on the completion of a small physical 
network being constructed at the University of Wisconsin. 

A research seminar (Spring 73) is investigatinr the ques- 
Bene of Wranslator-comvilers and defining one in the GP 
language to make it available in each System, Most of the 
Other projects have been discussed and corsidered as futura 
work but are not currently scheduled since they are depend- 


ent on the work currently underway, 


Summary and Conclusions 

The emergence of networks of digital computer systems 
nas resulted in severe problems consernine thele nanagabi.li- 
DIE, generality and portability. A managable network desipn 
must provide for the resolution of conflicts Of responsibili- 
ty and anno ty Generality must exist if the network is 
to be useful to many classes of potential Users. Ponte]. 
ty must be possible if the network design and user processes 


are not to be implementation dependent. 
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A sufficient set of postulated constraints on the 


network design were developed to ento solutionetor these 


E 


problems. Difficulties in network manageability result 


e 


3 


marily because of the conti tines rolls of the network, inm- 
Blementvasien, na process designers. The solution requires 
a clear factorization, between these three agents, of the 

esponsibility and authority for controlling the behavior 
of the processes running on the network, 

A design was then carried out within the postulateg 
Constraints to show both that a solution to the network pro- 
blems does exist within these cons brainer andate Loads 
to a design which it is feasible to implement and which is 
Beneral enough to contain at least most of the current SYSe 
Gem structures. A set of derived constre ints were devel- 
oped to explora in mere detail the conse uenbas sole 
postulated constraints, and then a set of des ign decisions 
were developed which defined the Beneraliissoräthe struse 
tures to be provided the users. Finally several current 
systems were modeled us ing the network structures developed 
and the structures themselves were formally defined, 

There are many conclusions which could be drawn from 
the work presented here. Cne of the most sienificant of 
Kies that itawas possible to accomplish such a general 
goal, with the result being a clear solution which seems 
20 be implementable. This success appears to be a result 


Of heaving undertaken the whole problem of manageability, 
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generality, and portability, and not approaching only one 
part of it. The particular PecuORi eat ions of the problem 
made in this thesis were based on the eur alnitssang des 
Seca ls and not as a result of arbitrary or conflicting 
decisions as defined in eursent systems. Factorization of 
Pompors tol ity and authority was the tool which makes the 
solution possible, It does not appear that it is sufficient 


to approach these problems independently (for example, try. 


ing to solve the problem of portability while lea aving cure 
Fent System structures unchanged and independent), It may 
ber’thatr because of the interactions of these DrOMNUENS: a 
Elcbad solution such as SS id a ie thesis, is the 
Chiv poesiole path to a gstieral solution. We have shown 
Game Ls 5 suf Pod Mao Dati 


ne Oo PESUIC OT having 2 set of machine and technology 


independent derjnitilcns which ara at least capable of neac = 


fu 


Ing current: systems, it is possibile to discuss system an 
PROCESS Survetuyes and compare then using the network de- 
sign pressuted here, The vocabulary used is independent o” 
e system being described, and presents a well-defined 
framework within which to define problems. The Concept of 
a generas process atep provides maximum freedom to the user 
and designer, while providing sufficient rules to permit 
Work to be zetualiy escomplished. Processes defined to run 
OM OUT Network sys@@ns will provide pertability not only 


between currently Implemented systems but also ine een 
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Peneravions Ci implementations of the current systems. This 
means thet 1t issmew cost effective to invest heavily in 
applications and application tools since they can survive 
changes in technology. Process desipners can define local 
logical operating systems, including the management of ac- 
Gounvtvabie objects, in distributed computations which are not 
System dependent. 

Many of the features of the design are interesting 
wnen taken by themselves and need not be applied only to a 
Memmork.,  COoMmcercl=<points combine The functions of both com- 
municaticn and control (interrupt) and permit intervrocess 
interactions to be directed to particular parts of a pro- 
Sees tete and not Just the process itself, Subprocesses 
aia expressilon-states in conjunction with control-points, 
permit the concept of process step to be renzeralized. The 
Sreprocesesor designer is able to aefing its state structures 
PQemoperauLonswon that state, thus deferring binding of po- 
ventlai process behavior indefinitely since the introduction 
of new subprocessors does not affect current process be- 
ARIS ScHzept of accounmteble objects, and their 
CONC PON and cantro® by the nroc®ss hierarchy provides a 
(Mes michanism For creating user cperating systems., Evo-~ 


Imelonäry processes permit She deferal ef the choice of a 


oe 


Pe er eee work while providing a clear mechanism for 
Amo rain 3 and for making a@aptive clmaeres to an existing 


definition he Mart that thore is never anv asynchronous 
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fighting over a process state by systems or subnrocessors 
means that the implementers have “no race conflicts To re- 
solve. The process must, and can, resolve its own problems 
locally to that process, Binally, although the network WES 
designed to provide mechanisms for the control of poten- 
tially uncooverative processes, process cooperation can 
still be exploited. Within a process state all Ope tions 
except operations on accountable objects, are considered 
cooperative and limited only by the operators available in 
the subprocessors being used. If the Drocesses wish to use 
normal control-point communication to interact and not 
invoke the AO Subprocessor, they may do so. BR jeets ex. 


+ 


Changed in this Way are not subject to accountable object 


0) 


Buavrantees and therefore the processes use of them is pure- 
ly cooperative. The Single unique asnect of cooneration 
Which is not permitted between disjoint processes is shared 
space, ‘he whole structure presented here would be great- 
ty complicated and lose much of its implementation effi- 
ciency if it were permitted. The implementation wouid be 
constrained to maintain the Shared space in the same physi- 
cal memory and map the processes onto it with the inherent 
conflict and race problems, Processes could not be arbi- 
trarily moved, By simply factoring processes into disjoint 
address space such problems do not exist, As was shown in 
our TENEX model, sufficient generality can be obtained with- 
in one process State to model the whole TENEX system includ- 


ing the shared space. 
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APPENDIX A 
CONSTRAIHTS 


Postulated Desipn Constraints 


CL, 


O2., 


Ch, 


OD. 


Ihe designed network must consist of a set of inter- 
acting bounded programmable digital computer Systems 
with well-defined processes, end be open to Communrlca=- 


tion with foreign systems having undefined processes, 


Responsibility for meeting the postulated design 
constraints and design decisions must be fac- 
torec between the network, imp entation, and 


process designers, 


Bach designer must have sulfficient authority to con- 
trol the effects, on the processes running in the 
network, of the interactions for which that designer 


has been delegated responsibility; 


Although processes must be permitted to delepate to 
other processes their authority to control Process 

interactions, the delegating process always retaíns 
responsibility for thet interaction and the author- 


ity to control «ha Prosess to which it was delegated, 


The network definition must vrovíde for modification 
of its definition. The design must provide sufficient 
constraints to be able to delegate safely to process 
designers all modification decisions and authority to 


control the effects of such decisions on the processes, 


Delegation o? Authority Constraints 
A A VONE Ural 


DL, 


DF, 


D5. 


Der 


Set? Cra ASA 


Responsibility for each interaction and authority 
to control it must be uniquely assigned to the same 


designer. 


Network designers are responsible for enolubrine Rat 
the network is self protecting, meets the Constraints, 


and is formally defined, 


The implementation designers ara responsible for the 
Ges Len. construction, and maintenance of an optimal 


cquivalent system, 


Tne process desipners are responsible for all virtual 


interprocess interactions, 


If an implementation designer has an unsolvable prob- 

lem due to boundedness which effects the processes 

in the network, the effect on the process state structure 
must be welledefined so the process desipners can 


ameliorate the consequences, 


Network designers are responsible for the initial 
definition of the network and implicitly for all 
evolutionary paths. Implementation designers are 
respensible for the implementetion of the ol al 
definition and for any potential evolutionary path, 
Process designers are responsible for SOlecting 


which evolutionary paths will be followed, 
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Process Designer Constraints 


ce 


Paga 


PH, 


22 


Br 


Ei 


Es 


Processes must be arranged in a tree structure define 
ing their hierarchy of responsibility over descendent 


processes, 


A unique root process must exist representing overall 


process manarement. 


No processor race conditions can be permitted to effect 
the process state transformation during that transfor- 


mation. 


Operators available to process designers affect only 


the containing process state. 


Mule processes may be transformed in parallel. 


Distribution cf processes over the network must be 
permitted and cach process state must be uniquely 


contained in at most one system at a time. 


Interprocess communication must be permitted and be 
subject to parental control. Synchronization between 
Proceso asis ene responsibility of process designers: 
Processes residing in different systems may be syn- 


cion ea only using interprocess communication. 


An "accountable object" chain must exist, and processes 
must be able to restrict use of these accountable 


objects when sub-allocated, 
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Network Designer Constraints 


et ne nr A 


MZ. 


er 


N4 0 


N5. 


N6. 


E. 


The network designer ís responsible for providing a 
set of invariant names which can be used by the 


Prececu eS pits Tor communacation ana control, 


Therretwerk designers are responsible for changes 


in the network formal definition. 


sufficient services must be provided by the network 
Gesipners fer the process designers to accomplish 
ner pnmmase including resource accounting and 


inbereystem communication. 


Network modification operators arce meta-operatore 

and must first ensure the modification does now vio- 
late any of the postulated constraints and then either 
act as a no-op ¿if it is one of the permissible paths 


orm Volution or fault if it is not; 


The effects of network evolution, other than the ad- 
dition of @ new system to the network, must be local 


Co, the Sysvem waehin which the operator was executed. 


The network design must permit process designers to 
limit the effects of a network modification operator 
Vou process CKOECULAIE 18. Process designers must 
be ablewco uniquely control the right to execute 


non-commuting modification operators (if any exist). 
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APPENDIX B 
DESIGN DECISIONS 


Al - Each system processor in the network will contain a 
Semen ideni hable suüubprocessors includingsat lesast 
the following three: GP (General Programmable), AO 
(Accountable Object), PR (Process state Reccive and 


transmit). 


HN Marocessostate is defined by a set of identifiable, 
typed, possibly related expression states, and asso- 
ciated information necessary for both subprocessor' 


atLocation and anterprocess interactions, 


A2,1 ~ Subprocessor access to structures of any 
other type of expressicn-state must not violate 
thesconventions of the other expression-state's 


designer, 
A3 =~ "Control-Points" are accountadle objects. 


A3.1l ~ Individual control-points may be paired 
with individual expression-states and more 
than one such pair may exist in a process 


state at one time. 


A3.2 = When paired with an expression state, a 
control-point will have associated with it 


the type of subprocessor to be applied. 





A4 = 


A6 -= 
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Control-pcints will serve as uniquely named destination 
addresses for interprocess messages, The arrival of 
Such messages, as well as local subprocessor opera- 
vions, 0 designete an ES/CP pair as requesting a sub- 
Doce ooo e GOP Ch Suet iCwctatus.of other pairs. 
The system processor will apply at most one subpro- 


Cessor to a] Drccess state each process step. 


A4,1 - Each process state, except the PR process state, 
eC ome sepia / CP epaireadhichecan. interrupt 
all others in that process and which can be in- 


terpreted by the AO subprocessor. 


C eau tion vo its basic functions the AO sub- 
processor will be responsible for regulating 


PISO solr ty death, .and Inrersystem movement, 


TOS ess may gemerave a single interprocess message 
Doaproces sten, .wilch 2S Droadcast by the system 
processor to a particular buffer associated with the 
Bere olomsconL.rol-poınt, Process desipnmers can con- 
Vor ga meets transmit, une right to listen, and 
the right to allow an ES/CP pair to become demanding 


as a result of a buffered messare. 


ieee Neuworic Gelinition will consist of one 
basic system with an initial root process state. Net- 


work modification operators will permit the creation 





By. 
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Seas racional basic Sysvems, Subprocessors, 
SUbprecessor Operators, and system processor operators 


for control~point housekeeping. 


A6,1 - The design of modification operators will be 
delegated to subprccessor desipners. NModifica- 
tion operators will not introduce new modifica- 


Cion Operators., 


Inaccessible objects may result from meta-operations 
invoked by implementation desipners because either a 
subprocessor hits a bound or there is an implementaticn 
failure, Subprocsssors trying to access an inaccessi- 


ble object will fault. 


AT.1 - Implementation failures affecting the account- 


Ateo Tec enana may. cause” gros, processes, 
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APRENDER C 


EXAMPLE FORMAL NETWORK DEFINITION 


INTRODUCTION 

This appendix will formally define an initial basic 
system and also define, as an example, a two system network. 
The definition system to be used here is described in Fi7l 
and is formally defined in the appendix of Jo73. An impie- 
mentation of the definition system exists on the University 
of Wisccnsin's UNIVAC 1108. The representation used in the 
listing of the definitions presented later wili be that 
Ssecopted by the implementation in order to ayoid "typosraphi- 
Colt errors. 

Although familiarity with FH71 is necessary for a 
Mmecise understending of definition details, a brief intro- 
duction to the system will be presented here so the reader 
who is not familiar with it will have a reasonable idea of 
what is being done. The definition system has the ability 
to represent a set of interacting asynchronous digital com- 
puter systems as extensions of Post production systems 
(FH71). The automaton which interprets the definition sys- 
tem defines the concepts of processor and process. 

As in Post's formal system there is an alphabet (x) 
aos alos Hand productions (1:). Some of the cxtensiions 


to the Post system are "not x" to represent any single 


I 
character except x, where x 1s in the alphabet; the ability 
to discard irrelevant axioms; the ability of one system (SR) 
to communicate with another system; and the generalization 
of antecedents to permit the use of restricted processors 
Wea). 9 (RPR is described in FH71 and.(7) is an example of 
the use of an RPR in the network definition. The parenthe- 
Sized numbers correspond to the parenthesized numbers found 
Gn the system listings and are used to indicate specific 
items which will be discussed here.) 

An SR (system) has the property that it runs asyn- 
chronously with all other SR's. Each of the three systems 
presented in the network definition is an SR. Messages are 
transmitted es an axiom naming a destination axiom to be 
matched (in the destination SR) and a message which replaces 
inet axiom im the destination SRe A flowchart describing 
the primitive automaton is found in fige la, b, Co It 
applies the operators (productions including double arrow 
productions (9) which transmit messages and restricted pro- 
cessors (7) to the axioms, saving only generated axioms, up- 
dates the axiom set with any incoming message, and then re- 
peats the cycle. A system step is defined as one cycle of 
the primitive automaton as described above. 

An RPR can be a part of the left hand side of any 
operator. The main difference between its representation, 
other m rstven,.. is chat ıt has a pattern, in place of 


an axiom set, which must be matched (using the RPR alphabet) 





before the RPR is applied. 


tern matched substrinas of axioms. 


1/2 
RPR's operate only on the pat- 


ATREA Can oo throug 


s itself Len Í E containinc R 
ey elestieselt before returning to the cont Ba, 


thus permitting arbitrarily complex system steps. 


The flowchart (fig. 4a,b,c), symbol descriptions, and 


definitions were written by Pamela Smith. 


SYMBOLS 


O 


(tigaia) 
SyS O MANIOCESS State- Sert. 


SAn ENE 


buffer to hold generated process state 
oracao, 


system step in which they are gene 
message-receiving buffer. 

a consumable copy of o". 

the set of productions (operators) in the system. 
a COnsumabie copy of 7. 


a buffer for (channel, message) pairs during the 
system step in which they are generated. 


a buffer for (channel, message) pairs during the 
application of the production from which they are 
generated. 


a buffer for (channel, message) pairs during the 
execution of the RPR by which they are generated. 


a bufier for RPR resules which are generated before 
the RPR terminates. 


a production selected at random from C(r). 
answer uU selected at random from C(g"); 1t is a 
message set, consisting of a unique channel name 


an or messagessassociated with that name. 


a Boolean stack variable, true if an SR is being 
executed, false if an RPR is being executed. 


the empty set. 
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/vegin \ 


system 
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stack status 
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| C(t) < T 


3 





erase marks on 
elements of © 
that matched 
antecedents 


a 
i = | (1) 
a 





remove p 






way to 


apply p to 
J 


no 







yes 


erase marks on 
elements of © 
being used 


2 * 





Steekssldtus 

SR + false es 

O + substring 
matched by 
RPR pattern 






Fig. ha--iNTERPRETER Flowchart 


the transformation of axions 
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termination of an RPR application 
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Fig, le=-INTERPRETLR Flowchart (Cont?) 


SR process step termination and message management 
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A CIS ct Ling, 


mark a designation that can be attached to a process 
state, then erased; it means that no production 
has been applied to this process state since the 
beginning of the system step. 


flag a designation that can be attached to a process 
state, then erased; it means that this process 
state has just been introduced to c as a trans- 
mitted and accepted message. 


DEFINITIONS (fig. 4) 

TRANSMIT 8 The transmit primitive takes the (channel, 
message) pairs of B and forms them into message 
sets before sending. There is a conflict reso- 
lution mechanism which enables each system's o" 
to be able to determine the order of arrival of 
the messages it receives. 


SiS. EREE A primitive that takes o” out of commission 
without loss of messages. 


MATCH A 5 can match any string over (x+A)* in any 
CONTEE, 


APPLY P TO o Finding a new way to do this implies 
binding of the variables. 


GENERATE ALL CONSEQUENTS All results (states that match 
the pattern but no antecedents) will be used, no 
Ralterswvneneiısavere generated. A result of A 
Jill cause the RPR pattern $ to become A in the 


consequent. No consequents will be generated if 
the result is e. 


STACK: O,0,T,B,B,,6' Chin), Econ oe oP 


o e 


In the next section three systems are defined. Sys- 
EEA lo eenemeerinition Of an initial root system, and sys- 
tems B and C are the two systems in a two system network 


example. The implementation accepts an arbitrarily large 





107.7 
set of "charaeters" in the form of alpharumeric symbols 
(such as Alpha or B35). Each such symbol is treated as a 
single character. Alphanumeric symbols may be delimited by 
any character (including a space) except a letter or digit. 

De genay ces: ine toeltewing meta characters are 
used by the interpreter. (Note that all of these characters 
can be quoted and then used just like any other character 
in the system definition.) 

[} - beginning and end markers for an SR and RPR. 


: riers Cliemeecmnnimg Of tne axiom set (o:) of 
an SR (Note RPRs have only an axiom pattern). 


# = = Males othe beginning Net) of 
Ansagen co, 


oo 
Í 


marks the beginning of the productions 
parate) Gl an SR or RPR. 


& - separators between axioms in the axiom set 
and between antecedents in a multiple 
production. 


=e 


- separator between productions. 


> = arrow Used in productions. A single arrow 
separates the antecedents and the consequent. 
In a double arrow production the second 
arrow separates the consequent message from 
the destination name. 


Me Or Sa natenes any character in the 
alphabet but "a"). 


$ - matches any string over the alphabet including 
the null string. 


TMi~eqer> = Subscripts for variables in consequents 
which name variables in antecedents. 


fecietisetom4|!): The following is a definition of the 


Bor Des a tefsets of the network systems (subject to the 
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17 
addition of other state sets of the network as the result of 
network modification). 

vers stabeyr:r2=esystem phase> <chan list> <buff list> 
<process list> <candidate list> 
ogi. Lists 
A t a : ey Y 
phase- each system has a phase counter (3). 
<y Stem phase>::=PRAS9E <phase number> 
<phase number>::=1|21!3 


Omen Cach system will have a set oí channels to receive 
Messaces Lor its control—pointss 





<chan 11St>3:=<messäage channel>| <message channel» 
See ey 


Ass ate Channel s=cCHAN <control—point name> 
<ouffer name><msg> 

<control~point name>:;:=<AO name> |<PR name>|<GP name> 

<£0 Name? ti=:<process name>,0 

<process name>::=<root name>!<process name>.<child name> 

<rOOt Naies + v=) 

«child neme>>3=<integer> 

<cieve ger es <dlest> licnzcromendigita 

WG sogar Cae it <ndi ci t> 

<digit>::=0 |<nzero> 

<nzero> s :=1|2|3|4|5l6|7]8|9 

<PR name> ::=<system number» PR 

<system number>::=<integer> 

zur names. cp on Cr 

SO 7 >,.:-<inLerer> 


<buffer name>::=<parent buffer> |<interface buffer> | 
<integer>|<acknowledge buifer> 


<parent buffer>::=P|<process name> 
“<mavertace bulfery +: =i 
<acknovrledge buffers::=5 





1 
<mSg> : ::=<null> |A<message> |a<inaccessible object> 
[ee 
mer 22.509 De deilined by subprocessor designers 
<inaccessible object>::=* 


Bei -eachssystem will have a set of control-point buffers. 


Coie Vet 2. nic. age bußrer> <message buffer? 
ebuitemsiist> 


<message buifer>::=&BUFF<control-point name><buff name> 
<msg> 


Beocess-each system will have a set of processes 
“proge@ss limt> time<process> |@process><process list> 
Ceueeces © :=c<intertace> PROCEoo<process state> 
<mvertace> ::=<null>|<msg> 
¿process State>ss=<PR state>|<user state> 


<PR state>::=CP<system number>PRa<demand>PR[<PR exp- 
state> | 


<demand> ::::0| 1 

<PR expression-Sstate>:;:=<acknowledge 11st> 
<acknowledge list>::=<ack>|<ack><acknowledge list> 
<ack>::=<slist><process name> 

biste) 52 


<user state>::=CP<process name>A04 <demand>A0| <AC exp- 
state: | 


iOMGri=siave>st=<A0—2a><GP—bs List> 
<AO-ES>::=to be defined by AO subprocessor designer 


<GP-ES list>::=null|<GP ES/CP pair>|<GP ES/CP pair» 
IA 


<CP ES/CP pair>::=<GP control-point> <GP-ES> | «GP-ES> 
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GP=E0>33=b0 be defined by the GP subprocessor design- 
er 


SR l-powii> t= GP<GP name><CP status><arm list> 
<CP status7::=a<demandaa<enable>a<deliver order> 
sb 2 ll 

sie ode 2 =() |) 

arm list>?:=<nul.l>|<arm status>|<arm status><arm list> 
Seis ao >? *-< Shots. <CP name><buffer name> 


<status> ::=AÄRMI DARM 





Bee ver list Onty exists 1n phase 1 ana tells which control- 
Points are cancidazes to have a subprocessor applied. 


<candidañes listsss=<nulil> <cendidate>|<candidate> 
SANO LO Sr L1SL> 


Sida e e Ca TUS << COMODO Names 
<can status>::=CAN|NCAN 


Loom y tasteas the list of modification operations to be 
carried out (phase 3 only). 


«modify list>::=<null> | <modify>|<modify> modify list> 
<modily> ::=&ODIFY<process name> smod><GP name> 


<mod> z:=]ITII HILE 





State Set restrictions: the following constraints 


will hold on the state set of each system in the network. 


a) The system will contain one process with a 
<PR state> with the proper <system number>. There will be 


one <message channel> with corresponding identification for 





ot 
each other system in the network and one PR <acknowledge 
buffer>. 

b) The system will contain a finite number of prc- 
os with <user state>. 

c) For each <AO name>, one <message channel> will 
exist for <parent buffer>, <interface buffer>, and <acknow- 
ledge buffer> along with one <message channel> (with appro- 
priate identification) for each of that processes' children. 

d) For each <CP name><buffer name> in an <arm status> 
there will be a <message channel> with the corresponding 
7 name><buifer name>. 

e) For each <CP name><buffer name> in an <arm status> 
there will be one <message buffer> with the corresponding 
zersname><buffer name>. 

£) On Phase 1 there will be one <candidate> for each 


<control=point name>. 


We would consider an appropriate path of evolution, 
as a result of modification operator execution, any system 


vıebavenld meet these constraints. 


SES Pr@eessoOr Operators: The % production set (3) 
of each system defines its operators. The line numbers refer 
to the root system definition as a specific example. 

Lines 9-11 (3): These operators maintain the phase 


coun eT (Lig. 5). 
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Pier O OLAS set for system verification 
purposes. This operator is not required as part of the sys- 
tem processor operation. 

Lines 13-26 (4): GP message buffer overations are 
carried out during all three phases as follows, Line 13 
clears all GP input channels at each phase. Lines 21, 25 
remember any message already in a GP buffer (if buffer is 
Still armed), if no new message has arrived on the corres~ 
ponding input channel. Line 26 buffers any new message (if 
the buffer is armed). Note that the productions, lines 2/1, 
and 20, cause only the most recent message to be buffered. 
Line 14 ensures that any disarmed buffer is empty at the 
end of phase 3, the other productions are avplied in each 
phasee There will be a set of productions similar to lines 
24-26 for each GP buffer. 

Lines 16-23: AO and PR message operations are dif- 
ferent in phase 3 than in phase 1 and phase 2. Lines 17, 18, 
22, and 23 update AD buffers in phase 3, and line 19 updates 
the PR buffers in phase 3, Line 16 remembers AO and PR 
channel messages in phase 2 and phase 3. No buffers are 
required for AO or PR control-points except during phase 1 
re chen Zeösnmun.carion 15. by design, cooperative. There 
will be one production like each of lines 22 and 23 for cach 
AO in the system. 

Phase l: Designate which control-—points are to have 


subprocessors applicd (Fig. 5) (5). The control-point 
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Phese l 





a 









LS o 
for each process determine 
1) which subprocessor to 
pp aedon Priority of 
PCOnNGrOl—points which are 

Cn datos: 

2) put messages for selected 
|eontrol-point in interface 
‘buffer as appropriate. 

|3) message buffer operations, 





t 


1) dispatch generated 1) apply subprocess: 


O 
y 


messages. (process Sten) 

2) aetermine which 2) message buffer 
Convrol—points are ee E 
eenanıdates to have a |” ne a ee ee 


Subprocessor applied. 
3) message buffer 
operations. 








Phase 3 Phase 2 


Pipe 5 -—- System Phases: the system processor 
has a cycle of three system steps which includes one process 
step (phase 2). 
designated within each process will be indicated by a "3". 
A process which has no control-points which are to have a 
subprocessor applied will be marked with a st! preceding 
its state (lines 32 and 48). If an AO is demanding (line 
27, 258) it automatically gets a subprocessor applied since, 
Pcia ls always che highest priority control-point 
Irsa ji AO) has been designated a candidate (done 
in phase 3 as a result of being demanding or having a pending 


message), and if it is not currently demanding, then lines 
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33-35 designate it demanding, place all buffered messages 
Ane interfece buiier for that process, and mark the pro~ 
cess (with a :) to have a subprocessor applied. Lines 36-- 
46 determine which GP control-point (if any) should have a 
Seer ocessor applied iit the AO controi-point in that process 
fe not a candidate (NCAN). For any GP control-point to be 
designated to receive the subprocessor, it must be "CAN", 
EMO NCEN" must nold for all higher priority control-points 
inskhat processi Then, if it is cemanding (lines 36, 37), 
designate it to have a subprocessor applied (no messages are 
delivered). If not demanding, piace either single (lines 
38, 39) or multiple (lines 42, 43) messages in the interface 
porter, and designate the control~points to nave a subpro- 
cessor applied. Lines 40, 41 and 44, 45, 46 clear the buffers 
when messages are put into the interface buffer. 

Lines 27-32 designate PR to receive a subprocessor. 
During phase 1, PR gets all pending messages put in its 
Mmtertace butter (lines 29, 30), If there are no messages, 
and it is demanding, then line 31 designates it to have a 
subprocessor applied. There will be a set of operations 
like lines 33-47 for each process (except PR) in that sys- 
teme 

Subprocessors are applied during Phase 2(6). If the 
process was marked as having no control-point which was 
to have a subprocessor applied, then the mark is removed 


(line 48). The AO subprocessor (lines 83-87) and GP sub- 


LSE 
processor (lines 88-92) are not part of this design. As de- 
Lined here they only clear the interface buffer and set the 
control-point not demanding (lines 85 and 90), or if there 
is no message in the interface buffer, they set the control- 
point not demanding (lines 86 and 91). 

The PR subprocessor (lines 51--82) (7) has been defined 
as follows. PR may get multiple messages in its interface 
buffer (! is used as a message separator). Lines 54, 55 
execute a modification operator for incoming requests to 
create a new process in the local system. The modification 
request tells the system processor which control-points a 
process contains. Line 56 turns off the demand bit (if 
there is no message in the interface buffer (! Process) 
and if the PR expression-state has no work to do ('[S1$])) 
and removes the "!" which will cause the subprocessor to 
terminate. Lines 55-58 move an incoming message to the 
expression-state for later FIFO service. Line 59 clears 
the null messages which are delivered for empty buffers. 
Line 60-62 removes one local request (to create a process) 
from the expression-state, transforms it, and places it in 
the interface buffer as a "start" request. Lines 63-66 
send back to a Source system an acknowledgment that the 
process State arrived correctly and marks the state to be 
started the next time the PR subprocessor is applied. Lines 
67-69 start such a process. Lines 70-71 send back to a source 


system over the acknowledgment channel that an inaccessible 





D ooo a Nedin place cf the process state. Lines 
72-7 do not transmit another process state since there is 
eieeady ome OuLStanding (SIN4$*]). Lines 75-78 transmit a 
process State when there 1S no transmission pending acknow- 
ledgments. Lines 80, 81 notify the proper AO by an "St if 
The move was successful, and by an "R" if it was not. Ifa 
DE CCR A TCturned inaccessible object it will notify 
the AD control-point that initiated the move that the re- 
guest failed. If a PR receives a process state it will 
return to the sending PR an acknowledgment. The PR origi- 
naliy sending the process state will notify the AO which 
requested the move that it succecdéeds That AO will then 
feet ties process state Since it now exists in the other 
system. This procedure guarantees that no process state 
will be logically lost during intersystem movement. 

Phase 3 (8) dispatches messages and designates 
Potential control-point candidätes for subprocessor appli- 
cation. Linc 93 and 95 designate a demanding AO or GP as 
a candidate (CAWN). All non-demanding AO and GP control- 
points are designated not candidates (NCAN) (lines 94 and 
Pie NCAN can be reset (by message overwrite) as a result 
of a message on a channel (line 102 and 104) provided the 
control-point is enabled and the buffer armed (AO is always 
enabled and all 40 buffers are always armed). Messages 
Bo acelscur ine phase 2 which are for local control-points, 


also resct the control-point to CAN (line 109). The candi- 
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date mechanism permits us to know in advance which control- 
points are candidates to have a subprocessor applied. 

Lines 106-137 do message dispatching. 

Lines 106 and 113 automatically buffer locally any 
message generated for a local CP if it is armed. 

Lines 111, 121, 124 dispatch any non-local messace. 

Line 113 kills a process and executes appropriate 
wai fication operations. 

Line 127 starts a process (request was from PR). 

Line 130 buffers a move request for PR. 


Lines 136, 137 create empty PR buffers. 
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CHANNAGP\%S => CHANN*<1L>IGP\%<2> $ 
PHASE 3 & SPROCESS CPClCssniI 2 „SIJAO SDARM\*\T\*S 
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AO & NCAh 1 r & PROCESS CP 1 AOS => 
b “SPROCESSS => PRUCESSS<1> 1 
& SPROCESSS => PROCESSS<2> 5 
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=3:MODIFYS<ISNEUNT PX ISGE => MODIFY 1 1 
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FEN SSHWRM COARM CF PRS AO GP ^D 
È TEST MOVE NEnwngJ!S’! 5515 -> 
US DAS CIAO 
'PROCESSSPR*TO NEW OCSHARM DARM C 
DE TEST MO 
gl!S => ASTARTS<Z>SPROCESSSCI> 
I'PROCESSS PR’CNO NEARNOCSHKHARM DARM 
MOMmGE eo. O | 2-34 °°" ts 
=> *“CHAN\O<]>PR S*R PROCESS$<1> 
PR°CLSTARTS<2>!53<3> 3 
IPROCESSSPR’LSTARTLSRARM DARM CP 
DI) 7223 Ei ey » S11 S28) 
m>*STARTS<2>PROCESSS<1>PR°CS$<3> 
TPROCESSSPR’ EVA? OS 
=> “CHAN\*<1]>PR S*S PROCESSS<1>P 
IPROCESSSPR’LCO MOVEN\NOCLSRARM DARM 
AI za 3a y CL oS]! 
=>PKOCESSS<1>PR°CS<3>0 MOVEND<1> 
"PROCESSSPR*TO MOVENOCPE Sul 2 +3) 
n ARM DARM CP P R 5 AO GP ^ 
ae IIS) 
=>"CHANADSI1>PR I1°NEW 1 CPS<23A 
PROCESSE<I>PR°CS<4>S81 52>? J 
rPROCESSSPR ESC \*aR 551155 15°) 
=>" CHANSX<I>AO Reaxra<]>PROCESSS<] 
J => $<1>PR5<2> 3 
PHASE 2 & CS*3AQOSHPROCESS ARM OARM P 
ER Obie) ee Hee TES 
Z^SFPROCESS GRESHl 2 ».% 3° A041 
PROCESS CPL SAL 27,237, A073, => 
J -> $<]1>A05<2> 5 


PHASE 2 G4 CS GPS TAPROCESS Akt DARM 
PESTE IA T e rit 
4 “SPROCESSS’ °GP*15 => PRO 
PROGESSS ~~ Gr use => 9 RROCESS 

J "> S<1>GPE$<2> ; 

PHASE 3 & SFPROCESS CPESH#] 2 .8JA0%1S5 

PHASE 3 & SPROCESS EPESHTI 2 <2 340708 

PHASE 3 ff SPROCESS CPELESuH I 2 „SIADSCP 

SL AU \^<1>GP 
PHASE 3 & SPROCESS CPEs#1 2 „BIAOSCP 


"> NCAN \*<1> GP 5 
PHASE 3 € “MOVESCPCS81 
=> NCANS<2>\%C1> $ 
PHASE 3 => NCAN 1 PR 3 
PHASE 3 € CHANTCSH1 2 «aSZIC\GPHAO PRZI 

=> CANS<SL>\GP<I> => NCANSII>NAGP< 
PHASE 3 £ UNPBCHAN BUFFS) 1 GP 175 6 
=> CAN 1 GP => NCAN 1 GP 3 
PHASE 3 £ SCTHAN 1 GP 1*°SPROCESSS & 5 
& C\SHCHAN BUFFSI] GP 15 
=> BUFF 1 GP 1*$<]> => BUFF ! GP 
PHASE 3 £ “CHAN 1 GP 1*SPROCESSS k $ 
=> CAR SY GP => REAN 1 GP 4 
PHASE 3 & *CHANCAT#2 3 YRIGP\*SPROCC 
=> CHAN\T<SL>SGP\r<2>5<1> => CHAN 
PHASE 3 & KILLCSH°C °) °” ARM DARN C 


2 3 UZILSA 
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A IA A O E S2 
!S5<2>:!S5<3>\^<1>5<1>!S1S5<4> 


PF PRS) BO.GP CP PR ==». 
VE New i S| S2 
PR°ES<€3> 3 

GES Pe. RSS 

33!s 


P R S AQ GP * 
Ss 


R’'TS<2>} 

Sle de aes 

AIN 
LINO AC 17: 
AOCS 


Ea), 2 “Seen 


0$<3> 


; 
2PRZT 3° 2>51,2). 3 


po ERASE Qi 
T 


=> PROCESS CP5<2>* *A0*15<3> 


PROCESS CERS<l> A ROSOS<2> j] 


FORTS AG CGH S00") 
CES 595 25° .G5F 71S<3> + 
Sel > GeO acs ¢ 


=> CAN £<2>A0 ; 
=> NCAN S<2> AOD 3 
NGA 12 SIG 1S 


LNanl2 3, 333677 Da 


C GPZI$ 


wos 
oe i 

SCP 1 GP*O*1SARA | GP 15 
CP 1 GPAQAISARM | GP 18 
IS<6> 5 

CP 1 GP*O*ISARM ] GP 15 


0 $ 
NE<I>SGP\*<2> | 
bor Rhea AO Se SA a 
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0 1,203.09 La 
BSCPENZSEHTEZ 3 4 AO GPSIS ~> 
MODIFYNA?*<I>NAP<2>KILL -> MODIFY t 3 
J] -> 3 
PHASE 3 & ^ACHANCSHI Z2% JAOSPROCESSS -> BUFFS<1>A0S<2> 3 
PHASE 3 & SPROCESS CP 1 A0”-035 € “CHAN 1 AO RS 
=> CAN 1 AO -> NCAN 1 AO 5 
PHASE 3 & SPROCESS CP 1 AO*1$ £ “CHAN 1 AO REPROCESSS 
& CHAN 1 AO RS 
=> CHAN ¡ AO R$<5>5<23> => CHAN 1 AO RS<S> Y 
PHASE 3 & *CHANCSAO\%H!] 2 3 4 +. 
S 1 AON\^ ~> , ÅO « 3 a 
JSPROCESSS -> CHANS<I>AON\T<I>S<2> -> CHANE<I>AON*<]>3 
PHASE 3 & *STARTSPROCESS CP 1 PRS => PROCESS5<1> } 
PHASE 3 & *CHANL\*322JPR\*SPROCESSS 
m>CHANN*C IL >PRV\A<2>95<61> => CHANV\SSIOPRAS<2> I 
PHASE 3 & O MOVENSEPLSO1 2 +2 3A05 
=> BUFF 1] PRS<1>*0 MOVE\*<E>CPS<1I>A0S<2> 5; 
PHASE 3 & ^MOYEN^S => PROCESS 5<1> ; 
PHASE 3 £ *C\*7RMOVE NEW? JS => CAN 1 PR => NCAN 1 PR 5 
PHASE 3 & *NEWSPROCESS CPCS#] 2 +.387A05 => BUFF ı PRS<2> 
^g NEW 05<2> ; 
PHASE 3 & "CHANSPROCESS CPES41 2 ZJAOS ~> BUFF 1 PRS<2>^ ; 
PHASE 3 & PROCESS CPCS#1 2 31403 =>^ BUFF 1 PRS<1> } 
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50 
Sil 
52 
53 
54 
55 
56 


SYSTEM B 


(1) c: PHASE 3 & CHAN MO P 6 CHAN TAOR 


(2) 


(3) 


(4) 


(5) 


A 
A 
p 


CHAN 
CHAN 
CHAN 
CHAN G 
CHAN G 
CHAN 1 6 
MOOIFY ] 
E PROC 
& PROCESS 
1 GP 1 
PHASE D 1 
NCAN 
MOVE START 
PHASE 1 => 
PHASE 2 => 
PHASE 3 => 
$ => esi’ 
CHAN\*GP\% 
PHA Sie a o& 
=> BUF 
REINIS ERNIE 
PHASE 3 6 
PHASE 3.6 
=> ZHAN 
PHASE 3 £ 
PHASE & 
PHASE & 
PHASE & 
PHASE & 
CHAN 1 GP 
=> BUFF 
CHAN 1 GP 
“> BUFF 
CHAN 1 GP 
=> .BURFE 
CHAN 1 GP 
CHAN 1] GP 
CHAN 1 GP 
PHASE 1 £ 


OO Tern rom 


ty Ww Ly b 


0 
O 
R 
P 
P 


P 


E CHAN 1] 
E CHAN 1 


AO 2 
PR S 


& BUFF 1 
& BUFF I 
& BUFF 1 


GP 1 
GR 
GP 3 


WU N- NVV- 


ESSEER I PRAP PRITS 
CERTA OSHT AOT TES t 

DARM 1 GP 2 DARM 1 
2 3 4 CHAN 


NEW TEST 
PHASE 2 } 
PHASE 3 1 
PHASE I } 
’ $<1> => PRINT 1 
S => CHAN\*<1>GP\%< 
SPROCESS CFES&] 2 
ENCON EZ NA <I> 5 
CHANC581] 
SPROCESS CP | AOD?) s. 
SHOVEN SCP I ACH SE 
l AGS < 23; 
CHAN\TPR\ 445 
CHANCERY] => 
CHAN Ao PRYOS 
SPRDGESS CF 1 
SPROCESS CP 1 
TES UAG 
1 GP 1$<1> 3 
2 & BUFF 1 GP 
GPRS DI; 
a6 Bune -} GP 
+. GP ISLA ; 
1^5 & SPROCESSSARM 
2^5 & SPROCESSSAKM 
3°75 & SPROCESSSARKM 
PROCESS CPOSHI1 2 


ee ole se 


=> Ch 
AO0*”D5 


es 


ele 


2> 


HAN 


Als 


& CHAN 
AQ*%Q3 E CHAN 1 
15 € SPROCESSSARM 1 


1 6 


1 GP 28 
1 GP 35 
¿ZI40515 


=> PROCESS CP5S<1>*:A0*135<2> 


CAN 1 PR € 
& BUFF |I 
=> 

NCAN 1 
NCAN 1 PR € 

CAN 1 AO & 
& RUFF 1 
& BUFF 1 

-> 

AO 

“> > 
AO 
& BU 
AD 
& BU 


PR & 


NCAN 1 


NCAN 1 


NCAN | 


PROCESS CP | 
PR 2^5 & BUFF | 


PRAN‘ 
PR 


PROCESS 
PROCESS 
PROCESS 
AO RS & 
AO Is & 


CP PRATS 
CP IL PReos 
CP 1 AO*DS 
BUFF 1 AO 
BUFF 1 AO 


C CAN i GPE SCP | 
<1 CP E GPAI? § 
E CAN 1 GP &:SCP 1 
ERMI AE 
G CAN V CPE -SCP | 
FF 1 GP 1^5 => BUFF 


GP*0°1*0 DARM 
Gio Gre Gay 


ZeoS3IJC\NGPHAO PRBIS 
E CHAN 1 


4 


at 


AQ $ 


AOS 


BUFF PROCESS ARM DÁRM CAN 
HODEETEKILLIERFAOGP CP PR 5 ~^ 


oy é , 


«SZ JAO 5SDARM\T\*\rS 


hme <1 > PR\^<2> i; 


P 


25 E SPROCESSSARM 1 


See EPROCESSSARM 1 


13 -> 
= 


-> 


S & BUFF 1 


sa 


1$<2>35<2>:'5<4>tPROCESS CF 


= 
> 


Y 


SS 
2% 


GPs 


5 


1 AOS 
AUNLS 


-> bU 
GA 
GP 2 
GP 3 

GUFF 1 


BUFF 1 
BUFF 1 


PR TSS 


PRA LO 


(PROCESS CP 1 


A PROCESS CP 1] 


BUFF 1 


15 


Sc LS CP 


6. 20727*08 
22GPp”"1*r1°%0S5<2> 


AQ PS 


GH Ua Os Te CHAN 1 


l 


GP 


15<3> 


“> BUFF 


=> CHAN 


EF 


$ 


5 


5 


GP 
GP 
EP 


l 


O IRE PANTANO SL O NOEL LO 
PUNO i 


l 


=> CHAN 


191 


~> CHANS<I>AGP<]1>5<2> 


A0S<3> 


AO$<3> 


l 


AD\r<1> 


125<1> I 
2°SSi> | 
soS<sl> $} 


R ERANS O + 


PRoOs< i> | 


GP 
l 


5 <2>6C3>3<49S$<5>$<6>PROCESS CP 1°3AQ419<1> 3 


15 


GP 


TASC 


e 
Y 


i 


2 
9 
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192 


NCAN i AO & CAN | GP £ SER I GP*O*1*0s 
& BUFF |1 GP 1 & BUFF 1 GP 2°85 
SORAS KLODS LIS CPI GRANATA s2 | 
NCAN 1 AO & CAN 1 GP € 5CP 1 GP*0”*1*05 
& BUFF } GP 1 & BUFF 1 GP 2^5 & CHAN 1 GP 2¢§ 
=>BUFF I GP 25<4> => BUFF 1 GP 2 *$<3> 5 
NCAN 1 AO & CAN 1 GP & SCP 1 GP*0*1*0S ; 
& BUFF 1 GP 1 & BUFF 1 GP 2 & BUFF |] GP 3°85 
DS AR A E O | 
NEAN"T AD ETEAN 1 GP & SCP [ GP*O0*1*03 
E BUFF 1 GP 1 € BUFF 1 GP 2 € CHAN 1 GP 35 
EBULFF 1 GP 35 -> BUFF 1 GP 35<3> -> BUFF 1 GP 3°8<4> 3} 
NCAN 1 AO & CAN 1 GP & SCP 1 GP*0*1”15 
6 BUFF 1 GP 15 € BUFF 1 GP_25 & BUFF I GP 35 
=>5$<3>5<4>5<5>5<1>CP 1*:6P*17*1*%15<2> 3 
NGAN 1 AO E GAN 1 GP £ S5CP 1 GPSO0*1*1576 CHAN 1 GP 15 
& BUFF 1 GP 15S 
=> BUFF 1 GP 1%$<¢<3> => BUFF 1 GP 18<4> 3 
NCAN 1 AO & CAN GP & SCP 1 GP*0*1715 
ECHAN 1 GP 25 £ BUFF 1 GP 25 
=> BUFF 1 GP 2 $<3> -> BUFF 1 GP 2$<4> } 
NCAN 1 RO TBTEAN 1 GP £ SCP 1 GP*0*1-15 
E CHAN 1 GP 35 & BUFF 1 GP 35 
=> BUFF 1 GP 33<3> => GUFF 1 GP 35<4> ; 
NCAN 1 AO £ NCAN 1 GP & PROCESS CP 1 AOS => PROCESS CP t AOS<1>;5 
(6) PHASE 2 & *¡PROCESSs -> PRUCESS5<1> | 
PHASE 3 £ SFROCESS5 => PROCESSS<S2> ; 
PHASE 2 => MODIFY 13 E 
(7) PHASE 2 & €S* SPRSAPROCESS ARM OARM CP P R S PR AO GP + 0 
ie oe Et START MOVE ¡En TEST ! 2. CHAN 
me, S52 
SIV CNEWN“CeE SN Zea DAGECPE\*H1 2 3 4839GPS8° is 
«> MOOLFYS<1>NEW\*<39GP => MODIFY 1 3 
FRPROCESSERRAI PREESIS =-> PROCESSS<I>SFR*O PR’LSIS<2> | 
NESARA DRAG? POROS AO GP 0.1 2 3 4 °C *3 » ’mm S1 52 
* TEST MOVE NEWRPIS’8SSIS => 15<2>' 58<3>1*<]>3 ?21>!S15<4> t 
tbo? ss => IS [> tae2> i 
"PROCESSSPR CO NEMP OLSHARM DARM CP F R S AO GP CP PR ~ « 
Den A? [CS TESITENOVERNEN 75.51.52 
ZI'S "> “STARTS<2>PROCESSS<1>PR*CS<I> 3 
PROCESSES PR’ C\OMONEWAUES RAKM OARM CP PRS 
Aare OU AY? eSI7S 
=>» ACHAN\G<1>PR S4R PROCESSS<1> 
PR®*CSTARTS<2>!2S<13> f 
IPROCESSSPR’CSTARTOESHARM DARM CP P R S AO GP >» 
Die 4 OE SA, 8 EAS LS 
=>”"STARTS<2>PROCESSS<1>PRCSÍCIA $ 
"PROCESSEBRLCAL (IS 
=> ACHAN\*<I>PR S*S PRUOCESSS<I>FPR'LS<2>H 
IPROCESSSPR’CO MOVEN\DLSHARM DARM CP PRS 
AO GP * 0 1. 2 al Ze 87° IT tt 
=->PROCESSS<I>PRFLCS<I>DO MOVE\O<SI>S<2> !SI\r<I>SCH> I t 
"PROCESISPROED MOVENDCRESSI 2.22 1JA0C5 
# AR DARM CP P R 5 AO GP *G i234 
Cie .x)'5517, 
FS "CHAN DO< IPR. 1*NER. 1 CPS<2>A08<3> 
PROCESSS<1>PR*COS<A>S15<2537 5 
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169 
179 


(8) 


(9) 


FEROGESSEPRZESENZHR 55% )]'5515? 1] 
=> *CHANS<I>AO Rr\*<I>PPROCESSS<I>PRICSC<C2Z>SI’) 3 
J -> $<1>PR5<2> | 
PHASE 2 & CS*:AOSRPROCESS ARM DARM P R S CP AO GP * Q 
LE EST 
S-SFROCEso cr CSH 192 eed ADS LE => PROCESS CPS<2> 
PRDC ESSC PECS AIRA Fd CAOS LS => PROCESS CPS<1>°:A 
J -> $<1>A0$<2> } 
PHASE 2 & CS°3GPS „PROCESS ARM DARM P RS AO GP 2 D 1 
hese Ce 2°34 %f *3 ° eds 
Z "S$PROCESS$* :GP*15 => PROCESSS5<2>"* :6P”*15S<3> 
ARCAS Sor 1S => IPROCESSI<1>* ¿GP0S<2> 5 
J 7> $5<1>G6P5<2> ; 
PHASE 3 & SERUCESS CPLESU] 2 „JADE => CAN S<Z2>AO $ 
PHASE 3 & SPROCESS CPC$81 «BJIAO*OS => HCAN 5<2> AO 1 
PHASE 3 & SPROCESS CPES 2» 2JIROSCPENS NT 2 3 4816P*15 
=>CAN \r<i>GPF 3 
PHASE 3 & SPROCESS CPCS#1 2 ¿SIAOSCPEA*81 2 3 4USIGP*DS 
=> NCAN V\*<1> GP i 
PHASE 3 & *MOVESCPCSa1 2 3 4¥.83C0\*HAO GPSS 
>> NCANS<2>\*<1> $ 
PHASE 3 -> NCAN 1 PR } 
PHASE 3 & CHANCSH#1 2 ,ZIL\GPRAO PRBEI\*SS 
=> CANS<L>\GP<I> => NCANS<IONGPSI> i s 
RIED EISEN SBERAN DUFEZS | GP 175 E SEP | GP°O*] SAEM 
=> CAN 1 GP => NCAN 1 GP 5 
PHASE 3 & C\*HCHAN BUFF3SJI1 GP 2^5 & SCP 1 GP*Q*1SARM 1 
=> CAN 1 GP => NCAN 1 GP $ 
PHASE 3 & C\*HCHAN BUFFSI1 GP 3°38 & SCP 1 GP-NrISARM 1 
=> CAN 1 GP => NCAN 1 GP 3 
PHASE 3 & *CHAN 1 GP 1*SPROCESSS & SCP 1 GP*QO*1S5ARM } 
E EX*ECRAN BUFFSZIIL GP 1s 
=> BUFF 1 GP 1*%*5<]> -> BUFF 1 GP 18<6> 3; 
ARAS EACHAN te Gls 2-SEROCESSS G&G SECR 1 GPSO*1SARM 1 
& CV\*HCHAN BUFFS3I1 GP 25 
=> BUFF 1 GP 2*5<1> “> BUFF 1 GP 25<46> } 
PHASE 3E ^CHAN 1 GP3^SPROCESSS & SCF i GP^O^ISARM 4 G 
& C\THCHAN BUFF2)JL GP 35 
=> BUFF {| GP 3*$<1> -> BUFF 1 GP 35<6> ; 
PHASE 3 & ACHAN 1 GP {1°SPROCESSS- © -3SCP | GP*O>I1SARA | 
=> CAN t GP => NCAN 1 GP 3 
PHASE 3 & ACHAN ! GP 2^SPROCESSS & SCP 1 GP*Q*1SARM | 
=> CAN | GP => NCAN 1 6P j 
PHASE 3 £ “CHAN 1 GP 2*3PROCESSS & SCP 1 GP*O1S5ARM 1 
=> CAN 1 GP => NCAN 1 GP 5 
EHASE 3ZEZIEHANENSHZ2 3 USER IGPNASPROCESSS 
=> CHAN\*<SL>GP\*<2>S<I> => CHANNA<SLO>GP\S<2> 3 
PHASE 3 G KILLCSK'C “1? ARNSDARMZER PZRZEFAIN GP * » 
Del 2732 
BSECRLN IN HI 2 4 AU GPE IS => 
MODIFAS KION OS 2>K ILL => MODIFY 1 ; 
J -> 
PHASE 3 5 -CHANCSHI 2,3JIAOSPROCESSS => BUFFS$<1>A05<2> 
PHASE 3 & SPRƏCESS CP 1 A005 26 “CHAN 1 AD RS 
=> CAN 1 AO => NCAN 1 40 5 
PHASE 3 £ SPROCESS CP 1 AO*15 & “CHAN 1 AD RSPROCESSS 
& CHAN 1 AO RS 


N 


T93 


l 


e 


O“0$<2> 


1 GP 15 


GP 25 


GP 35 


GP 15 


GP 25 


P 35 


GP 15 
GP 25 


GF 353 
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194 


=> CHAN 1 AO R3<5>$<3> => CHAN 1 AO RS<5> 3 
PHASE 3°65 “GHAI CSAO\7 8] 2 3 4 . 
SACK A => AO 6 fl 
ISPROCESSS => CHANSX<I>AON*<1>$<2> => CHANS <I >AD\%<1>3 
PHASE 3 & ^STARTSPROCESS CP 3 PRS => PROCESSS$<1> } 
PHASE 3 & ACHANCA\^#2%IPRA^SPROCESSS 
=>CHAN\T<CI>PR\T<2>IS<I> => CHANNA*<I>PRA?C<2> 3 
PHASE 3 & “MOVE\CCPES#! 2 «%3A0S 
=> BUFF { PRS<1>°0 MOVENASISCPS<SI>AOS<S2> | 
PHASEeo 96 “CMOVEXN*S" => PROCESSS<1> ; 
PHASE 3 & *C\*RMOVE NEWZIS => CAN 1 PR => NCAN 1] PR y 
PHASE 3 6 “NEWSPROCESS CPLsSR] 2.3JA05 -> BUFF | PRS<2> 
“0 NEW O8<1> 1 i 
PHASE 3 E&*CHANSPROCESS CPCS#! 2 »SJAQS -> BUFF 1 PRS<2>* } 
PHASE 3 & PROCESS CPEOSAIZ 213405 => BUFF 1 PRS<1>* ¡ 
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(1) 
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(3) 


(1) 


C3 


$“ 
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io 


SYSTEM C 


PHASE 3 & CHAN 1el AO 1 & CHAN Jol ADR 


E CHAN 1+2 AO 1 £ CHAN J]Joe2 AO R 
& CHAN tel AO S & CHAN 162 AO S 
& CHAN 2 PR S & CHAN 2 PR 1 
& CHAN 2 GP 1 & BUFF 2 GP 1 
& CHAN 2 GP 2 & BUFF 2 GP 2 
& CHAN 2 GP 3 & BUFF 2 GP 3 
& CHAN 3 GP 1 & BUFF 3 GP I 
& CHAN 3 GP 2 & BUFF 3 GP 2 
& CHAN 4 GP 1 & BUFF % GP 1 
& CHAN 4 GP 2 & BUFF 4 GP 2 


& KODIFY 2 
CUPROCESS CRZ PRO PRESI? 
& PROCESS CP 1.1 A0-*0 AO*T CP 2 GP*0*1”1 
DARM 2 GP 1 DARM 2 GP 2 DARM 2 GP 3 GP’C’J’) 
& PROCESS CP 122 AO*Q AO*ECCP 4 GP ^0^1^1 DARM 
TEA MCP GPEC CP 3 GP *O0*15] DARM 3 GP 1 
DARM 3 GP 2 GP’C’3)’) 
PHASE O 1 2 3 4 CHAN BUFF PROCESS ARM DARM CAN 
BORN T MODIFY KIEL PR AO GP CP PRS ^p y] * UG 
MOVE START NEw TEST ’g S4 52 
PHASE 1 => PHASE 2 ł 
PHASE 2 => PHASE 3 3 
PHASE 3 -> PHASE | 3 
san mn S2 2 S$<i> => PRINT 2 1 
CHAN\SGP\SS => CHAN\T<IDGP\N<C2> 5 p 
PHASE 3 % SPROCESS CPCSH81 2 SJAO SDARH\A\%\4%S 
=> BUFFN*ESAS5EZ3N*CI> ¢ 
PHASE M3 £ CHANCS81 2, EIE\NGPHAO PR3IE => CHANS<1>1GP<1>5<2> 3 
PHASE 9386 SPROGESS CP 1.1 AOAIE E CHAN 1.1- AOS 
=> CHAN lel AOS<3> 3 - 
PHASE 3 & SPROCESS CP 112 A0515S 6 CHAN 1.2 AOS 
=> CHAN 1.2 AGS<3> ; : 
PHASE J @ “WOVENCCR isi AOQRL CHAN 1-1 AOS 
=> CHIAN Wl AO $<2> 3 
PHASE 3 £ “*NOVE\*CP 3,2 AGS & CHAN 122 AOS > 
"> CHAN 1.2 AOS< Zit 
PHASE 3. & CHAN\TPR\**S “> BUFF\*<SI>PR\ ?<S2>r\ r<S2>5<]> $ 
Busse 3. 6 “CHAN\@ER\=) => BUFFY O<1>PR\C< 25° | 
PHASE 3 &6 CHAN \*% PRV\SS => CHAN \A<K1> PR\%<2> 3 
PHASE 3 & SPROCESS CP 1e1 AO*0S & CHAN 1.1 AOS 
=> BUFF 1.61 AOS<3> ; T 
PHASE 3 & SPROCESS CP 1.2 AO*CS & CHAN 1,2 AOS 
=> BUFF 122 AOS<3> l u 
PHASE 3 £ SPROCESS CP tel AO*GS & CHAN 1.1 AO\%S 
=> CHAN ləl AO\"<1]> 5 . 
PHASE 3 & 3PROCESS CP 1462 AO*Q% & CHAN 4242 AO\*S 
> CHAN 142 AQ\-<1>.; 
CHAN 2 GP 1 & BUFF 2 GP 1$ & SPROCESSSARH 2 GP 35 
=> BUFF 2 GP 15<1> 3 
CHAN 2 GP 2 & BUFF 2 GP 2$ & SPROCESSSARM 2 GP 25 
=> GUFF 2 GP 25<1> 3} 
CHAN 2 GP 3 & BUFF 2 GP 33 £ 3PROCESSSARM 2 GP 35 
=> BUFF 2 GP AS<I> 3} 
CHAN 3 GP 1 & BUFF 3 GP 1 
=> BUFF 3 GP 15<1> $ 


& SPROCESSSARM 3 GP IS 
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CHAM 3 GP 2 & BUFF 3 GP 28 E 
GP 2$<1> 3 
BUFF 4 GP 18 £ 


=> 
CHAN 

Se 
CHAN 

=> 
CHAN 
CHAN 
CHAN 
CHAN 
CHAN 
CHAN 
CHAN 
PHASE 


BUFF 


4 


GP 


PUFF 
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GP 


BUFF 
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£ E UVUVNNAN 


GP 
GP 
GP 
GP 
GP 
GP 
GP 


16& 
=> PROCESS CPS<1>° 3 A0*%15<2> 


& 


1$5<1> $ 


& BUFF 4 GP 28 & 
GP 23<1> 3 


3 
l 
4 GP 
2 
y 


1“s 
273 
3*r$ 
1*S 
aS 
1^S 
2*5 


SS SDSeDnD 
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SPROCESSSARM 
SPROCESSSARM 
SPROCESSSARM 
SPROCESSSARM 
SPROCESSSARM 
SPROCESSSARM 
SPROCESSSARM 


SPROCESSSARM 3 GP 


SPROCESSSARM 4 GP 


SPROCESSSARM 4 GP 
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GP 
GP 
GP 
GP 


15 
25 
35 
15 
25 
15 
25 


PROCESS CPCS) 2 4% TA0*1S 


CANSAR E PROCESS €P 2 PRAN?S 
E BUFF 2 PR S*$ 
& BUFF 2 PR 
DN a Sct > Gch > I PROCESS CP 2° 3PR*1S<1> 1 
NCAN 2 PR & PROCESS CP 2 PR*I 
NCAN 2 PR & PROCESS CP 2 PR^Q 
AO & PROCESS CP Is] 


=> 


CAN 1.1 
& RUFF lel 

& BUFF 

CAN 1,2 


AO E PROCESS CP 


& BUFF 


NCAN 
NCAN 
NCAN 
& 
NCAN 


=> ASK3>S<1>CP 
AO & 


NCAN 


“> BUFF 2 GP 23<3> 
AO GANT 2 GP & SCP 


NCAN 


“>05<3>5<1>CP 2 


NCAN 


& CHAN 2 GP 35 LE BUFF 2 GP 
=> BUFF 2 5P sss 3> 


NCAN 


NCAN 


NCAN 


NCAN 


lel 


lel 


4 
4 


el 
BUFF 


lel 
& BUFF 2 GP 


lo! 
& BUFF 2 GP 


lel 
E BUFF 2 GP 


lel 
& BUFF 2 GP 


lel 
& BUFF 2 GP 


lel 


lel 


lel 
& CHAN 2 GP 35 5 SUFF 2 GP 35 


at 


2 Gr 
AD E CAN 


AO & 


lel*s & BUFF 2 PR 


l 


l 


1 


l 


AO 5 
AO RS => $5<2>5<3>5<4>PROCESS CP 
1.2 A0*0S 
Vel AO S53 

& BUFF 1.2 AO RS => 
AOE CAN 2 GP TG SCP 2 GP LS 
=> S<1>CP 2° $GP*15<2> 
AO TETERA 


$ 


> 


; 


Sr, 
=> 
-> 
-> 
-> 
=> 
=> 


BUFF 
BUFF 
BUFF 
BUFF 
BUFF 
BUFF 
BUFF 


£ CEUV NNN 


& BUFF 2 PR 1^5 


-> 
=> 


14209 


"PROCESS CF 2 


AUrOSs & BUFF 


1252-53 BUFF 2 GP 


GEBUFFT 2 GP 20 


2 5GPCle 105 <2> 
Grn 2 GP GeseCP 2° GrP*O*)]*08 


. 


y 


15<3> 
GP OSCR 2 7GE0U°71°03 


RUFF 


2 GPG esGP 72 76P20°1*0$ 
GERUFrFFREGP ZI ERSTES YES ICP 2°,6P*1*r1*05S2> ı 
ADAN 8G wach ec Gr-O°1*OS$ & CHAN 
-> BUFF 


iel AO 


l»2 AQ 


5<2>5<3>S5<H>PROCESS CP 


& CHAN 2 GP 25 & BUFF 2 GP 2°Ss 


? 


an 


=> GUFF 2 GP 2*3<4> 
GP^0^1^05 


° 
t 


& BUFF 2 GP 2 & BUFF 2 GP 34$ 


6 BUFF 2 GP 


2 


*SGP*1*1°0s<2> o 
AO £ CAN 2 GP & SCP 2 GP*0414Q3 


323 


-> BUFF 2 GP 3*3<4> 
MODE CAN 2 GP &) SCP .2.G6F°0* 1°15 


1S E BUFF 2 GP 25 & BUFF 2 GP Js 


AO E CAN 
& BUFF 2 GP 15 
“> BUFF 2 GP 15<3> -> BUFF 2 GP 
2 GP E $CP 2 GP*0*1*18 
SCHAN 2 GP 23 & BUFF 2 GP 25 

"> BUFF 2 GP 2$<3> 


CAN 


“> HUFF 2 GP 23<4> 
woe Gane GP & SCP 2 GPOeDS1"15S 


ee See 4596555 <1>CP 2° GPAI AIAS? 1 
eGo scr egeGrocu |] “15 E CHAN 2 GP 13 


135<4> $ 


23 
15 
25 


GP 
GP 
GP 
GP 
GP 
GP 
GP 


**PRA]5C]1> 
ZErROCESS EP 2 PR?O3<]1> 


15 


esi [> 
Z°5:<1> 
3*3<1> 
1*5<1]1> 
2^5<1> 
1*5<1> 
255 <> 


se oe ese vo oe oe oe 


196 


Pol” :AO0MÉ<IT> 


13 


lo 2’ :AOrıS<i> 


2 


2 GF 


GP 15 


1^3<4> 


è 
, 


; 





i 
115 
116 
117 
118 
119 
120 
121 
122 
123 
124 
125 
126 
127 
128 
129 
130 
131 

[32 
133 
133 
135 
136 
137 
138 
139 
140 
baa 

142 
13 
144 
145 
146 
147 
148 
49 
150 
151 

152 

153 

154 
155 
156 

157 
158 

157 

169 
161 

162 
163 
189 
165 
146 
167 
168 
607 
170 


(6) 


=> BUFF 2 GP 33<3> => BUFF 
NCAN Ie 1. NO 6 
=> "PROCESS "CP 141 
NCAN 102 AO & CAN 
=> $< 1>CP 8 *3GP*1$<2> | 
NCAN 1.92 AO £ CAN 3 GP & SCP 
E BUFF 3 GP 1S 


A0Q3“1> 
3 GP & SCP 


NCAN 2 GP & PROCESS CP 


197 


2 GP 35<#4> | 
lel AOS 


3 GP^IS 


3 GPAOSI ^S 


mS OSCARS Ter 6s GRATA ATS 1 


NCAN 1e2 AQ & CAR 
& CHAN 3 GP 


SEGE 6:36? 
1$ & BUFF 3 GP 
=> BUFF 3 GP 15<3> -> BUFF 
NCAN 1+2 AO & CAN 3 GP & SCP 
& BUFF 3 GP tł 
=> *3<¢€355<1>CP 
NCAN 1,2 AO & CAN 3 GP & SCP 
& BUFF 3 GP 
=> GUFF 3 GP 25<32 
NCAN 
& BUFF 3 GP 1S & BUFF 3 GP 
=> $<3>5<4>$<1>CP 3 
NCAN 19.2 AO & CAN 
& CHAN 3 GP 


=> BUFF 


3 GP & SCP 
15 & BUFF 3 GP 
=> BUFF 3 GP 15<3> => BUFF 
NCAN 1062 AO & CAN 3 GP & SCP 
& CHAN 3 GP 283 & BUFF 3 GP 
=> BUFF 3 GP 26<3> -> DUFF 
NCAN 1.2 AO £ 
6 5CP 4 GP*1% 
=> 9S$< 1 >CPeaee (GPA lSe2>,; 
NCAN 102 AO & 
A GESUr 120828 BUF it 
=>°S$<3>5<1>CP 
NCAN 102 AO & NCAN 
& 5CP 4) GP4*0-1405. 6 CHAN 4 
=> BUFF 4 GP 13<3> => BUFF 
NCAN [22 AO & 
E ¿CP 4 GP 
*>»5<3>5<1>CP 


- 


1 & CHAN 3 GP 2 $ & BUFF 3 


NCAN 3 GP & CAN 


NCAN 3 GP & CAN 
“O*1*UuS & BUFF 4 GP 1 
4 GPA 1~ 1 “Gie~e2>03 


O 
1^5 

J GR TASS] 
620103 


& BUFF 3 GP 2*5 
37 3;GP“~141*035<2> f 


3 GPrOrı DS a 
GP 2^5 
3 GP 2^5<4> | 


le2 AO & CAN 3 GP 6 SCP 3 GP^0^51^15 


25 


o POS AE ZO e 


seer oO pol > 

15 

3 GP IS<Y> l 

37672071213 

2% 

3 GP 25<4> 5 
4 GP 


NCAN 3 GP & CAN 4 GP 


GP 1%5 


222GP°127,20%5<c2> ; 
3 GP & CAR 


4 GP 
GP 15 & BUFF 4 GP 145s 
4 GP 195<4> 3 
4 GP 
& BUFF 4 GP 245 


NCAN 1e2 AG & NCAN 3 GP & CAN 4 GP 
& 5CP 4 GP*O*%1%0s 
& BUFF 4 GP 1 6 CHAN 4 GP 


=> BUFF 4 GP 2S<3> => BUFF 
NCAN 
G scr Y GP20S1*15S £ 
"> 354x3I>5<4>5<]>CP 
NCAN 122 AO & 
& $CP 4 GP*90*1°15 
& CHAN 4 GP 18 & BUFF 
“> BUFF 4 GP 1 S<€3> 
NCAN 122 AO & 
& $CP 4 GProrır1$5 
& CHAN 4 GP 25 & BUFF 4 GF 
=> BUFF 4 CP 2 $<3> 
NCAN ].2 AO £ 
DEPROCE IS ICPZI 2 ADS 
=> "PROCESS CP 
PHASE 2 £ 


BUFF 4 


4 GP 


'S:PROCESS3S 


le2 AQ & NCAN 3 GP & CAR 


=> BUFF Y GP 
NCAN 3 GP & CAN 


Liz A0 SCEI> 


25 & BUFF 4 GP 2*s 
4 GP 2°5K<4> i 


4 GP 
GP 15 & BUFF 4 GP 2$ 


HGRA TASS; 
NCAN 3 GP & CAN 


4 GP 
15 
15<4> $4 
4 GP 


25 


=> BUFF 4 GP Z5<N> ; 
NCAN 3 GP & NCAN 


4 GP 


„> PROCESSS<I> 5 





198 


171 PHASE 3 & SPROCESSS => PROCESS$<2> $ 

172 PHASE 2 => MOOIFY 2; 

ne (7) PHASE 2 & CS’:PRSHPROCESS ARM DARM CP P R S PR AO GP * Q 
174 O be a START MOVE NES TEST I . CHAN 

175 me, 51057 

176 BIN TNER\NTCPLCSU] 2. BJAOSCPLN\ AI 2 3 4SIGPS* Ss 

177 => MOO!IFYS<]>NEW\*<3>GP => MOOIFY 2 5 

178 IPROCESSSPR*] PR*ESIS => PROCESSS<I>PR*O PR’LSIS<2> 3 
179 E AROAK PPRS AO GP * 0 1 23 4 °C *J + a SI $2 
180 z TEST MOVE NEW3TI1S* 551% => '$<2>* :$<3>31”*<1>35<1>1S15S<4> 3 
181 PI SICA ZO i 

182 IPROCESSSPR’CO NEM OCSHARM DARM CP P R S AO GP CP PR ~^ , 
183 DEI 22 <8 ie it 4A! Ie TEST MOVE NEW °m 51 52 

184 Shee => “STARTS<25PROCESSSE<ISOPR®*ELS<3> I 

185 IPROCESSSPR’'E\D NEW\NOCSSARM OARM CP PRS 

184 OMG oO. 1 eZee 4: e r * .8]211!$ 

187 => *CHAN\G<]>PR S*R PROCESSS<I> 

188 PR’LCSTARTS<2>'S<3> I a 

189 IPKOCESSSPR’LCSTARTLSHARM OARM CP P R S AO GP a~ 

190 OG esate ee Jo ..31. 3223885 

191 @>*STARTS<2>PROCESSS$S<I>PRICS<3> 5 

192 TPROCESSSPR’C\"* #15 

193 => *CHAN\*<I>PR S*S PROCESSS<I>PR'LS<2>} 

194 I'PROCESSSPR’'CO MOVENOCSRARM DARM CP PRS 

195 AOPGPE STO I2 3 AUG ee ay e- 2J]!SS1\25'] 

196 =>PROCESSS<I>PR’CS$S<3>0 MOVE\O<I>$<2>'!SiI\^<i>s<4>’'] $ 
197 PPROCESSSPR*° EQ HOVE\OCPESH1 2 2 1A0CS 

198 q ARMe OAR GPar Ree AU GP ISO 3 q 

199 Sees a4 $2'S51° J 

200 => *CHAN\Ü<I>PR ZINEN 2 CPS<2>A0S<3> 

201 PROCESSS<1>FPR’ C3<455)5<2>' 3° { 

202 EPROCEESSSER’ESENTHR Ss ]rssıs’] 5 

203 æ> ACHANSCIDAO RAN^LI>PROCESSS<I>PR’'’CS<2>51’'] 3 

204 J ~> S<l>PRs<2> ı 

205 PHASE 2 5 ES* ¡AOSHPROCESS ARM DARM PR 5 CF AO GP ^ 0 1 

206 oa, AE TO A. e TEST 

207 RESP ROCESS EEE I ZZ ZZ SI ZIAO* IS => PRGGCESS CPS-<2>°:A0CIS<S3> $ 
208 PROCESS CPLSuI 2 23)3* 140715 => PROCESS CPS<1I>':AOrDS<2> ı 
209 J -> 5<]1>A05<2> | “ 

210 PHASE 2 & CS’':GPS HPROCESS ARM DARM PR S AO GP ^ 0 1 

211 Test Gre 2.374 "6." 3 8 © hg 

212 ZEAR ROCESS Tn GRAI E> PROCESSS<25" GRANS } 
213 PROCESSS* :GP*15 => PROCESS5$<1>* :GP=05<2> ; 

214 J} => $<1>GPS<2> ; 

215 (8) PHASE 3 & SPROCESS CPCGH1 2 «%3A0%1% => CAN 5<2>A0 } 

216 PHASE 3 & SPROCESS CPCS) 2 SE.1A0O20S => MCAN »<2> AU } 

217 PUHBSEESZEZSERDCESSTERE Su 2 ,ZJADOSCPEN "41 2 3 SZIGP°I1S 

218 @=>GAN \*<1>GP ; : 

2,7 PHASE. 3 6 Si ROCE o> -CPELSH!] 2 „RIADSEPEN*s | 2 3 4SIGP*OS 

220 => NCAN \*<1> GP 5 

221 : PHASE 3 & “MOVESCPOGSu] 2 3 4 sSIE\*HAO GPZit 

222 => NCANS<2>\r<)> € 

223 PHASE 3 => NCAN 2 PR ; 

224 PHASE 3 & CHANCS#1 2 «ZIENGPSAO PRZI\*-S 

225 => CANS<SI>\GP<I> => NCANS<KLONGP<I1> 5 

226 Pun Ses SOE NoRCHAT COURTS 3° 2 GP f°“S'& £CP 2 GP*O*1EARH 2 GP 15 


227 => CAN 2 GP => NCAN 2 GP 3 





228 
229 
230 
23l 

232 
238 
234 
235 
236 
237 
238 
239 
240 
24) 

242 
233 
244 
245 
246 
247 
248 
249? 
250 
251 

252 
253 
254 
255 
256 
257 
258 
257 
260 

261 

262 
263 
Zed 
265 
266 
267 
248 
269 
270 
271 
272 
273 
274 
275 
276 
277 
278 
277 
280 
281 
282 
283 


284 


(9) 


199 


PHASE 3 & C\*#CHAN BUERST 2 GË 27S Scr 2 GP*0%] SARI 2 GP 25 


=> CAN 2 GP => NCAN 2 GP } 


PHASE OTE TCNSACHAN BUFFZJ2 GP 3^5 & SCP 2 


=> CAN 2 GP "> NCAN 2 GP } 


PHASE 3 E CA\A^nCHAN BUFFZJ3 GP 1^5 & SCR 3 


SCANS GP ZS NCAN 3 GP } 


PHASE IE ECSS CHAN BUFFZI3 GP 2^S & SCP 3 


=> CAN 3 GP => NCAN 3 GP 3 


PHASE 3° 6 CN“SCHAN BUFFEI4 Gp 179 & SCP 4 


=> CAN 4 GP => NCAN 1 


PHASE 3 & C\^BnCHAN BUFFZ3J34 GP 2°S & SCP 4 


=> CAN 4 GP => NCAN 4 GP } 


GPADATSTARNM 


GP" OAMSA RA 


GPAD^ISARM 


GP*0O*1SARM 


GP*U*)SARM 


2 GP 35 


3 


3 


4 


4 


GP 


15 


GP 25 


GP 


1s 


GP 25 


NE CIS ANI IASPROGES AS 6 SCP 2 GP*O“1SARM 2 GP 


& C\*HCHAN BUFFR&I2 GP 1% 
=> BUFF 2 GP 1^$<1> => BUFF 2 GP 


15<6> 


13 


PHASE I E ACHAN T2 GP 22SPROCESSS E SCP 2 GP^D^ISARM 2 GP 28 


SEN ACHAN SUFFEJ2 GP 25 


S> BUFF 2 GP 2°7$<1> => BUFF 2 GP 25<6> 


PHASE 3 & “CW 2 GP 3°SPROCESSS 


& sCP 2 GP*O*]S$AKM 2 GP 3S & C\*HCHAN 


SD BUFFT ZEIGE I ES <CEI > => BUFF 2 GP 33<65 


PHASE 3 £ “CHAN 3 GP I*PROCESSS 


BRSICH 3 GPEBZLISARN 3 GP IS 56 ENXSuCHAl 


=> GUE TG. LAS? => BUFF 3 GP 
PHASE 3 6 “CHAN 3 GP 2*PROCESSS 


& $CP 3 GPAD^ISARNM 3 GP 25 & CA\^RnCHAN 


15<6> 


=> BUFF 3 GP 2*5<1> => BUFF 3 GP 2$<6> 


PAGES E “CHAN 4s GP IS PPROCESSS 


BUFF3JI2 GP 


BUFFSIJ3 GP 


e 
, 


BUFFZJ3 GP 


& SCP 4 GP*O*]SARM 4 GP 15 & C\A*HCHAN BUFFS3% GP 
15<6> 


-> BUFF 4 GP 1*$<1> => BUFF 4 GP 
PHASE 3 £ “CHAN 4 GP 2*3PROCESSS 


33 


25 


wm 


& $CP 4 GP*)“!SPRM 4 GP 28 & C\*ACHAN BUFFZ34 GP 25 
2$<6> 


=> BUFF Y GP 2*5<]> => BUFF 4 GP 

PHASE 376 “CHMIN 2 GP 1°SPROCESSS b 

=> CAN 2 GP => NCAie 2 GP y 

PHASE 3 £ *CHAN 2 GP 2*SPROCESSS & 
=> CAN 2 GP => NCAN 2 GP 3 

PHASE 3 & *CHAN 2 GP 3°SPROCESSS £ 
=> CAN 2 GP => NCAN 2 GP $ 

PHASE 3 £ “CHAN 3 GP J|*SPROCESSS & 
=> CAN 3 GP => NCAN 3 GP 3 

PHASE 3 & “CHAN 3 GP 2*SPROCESSS & 
=> CAN 3 GP => NCAN 3 GP 3 

PHASE 3 £ *CHAN Y GP |*SPROCESSS b 
=> CAN 4 GP => NCAN 4 GP 5 

PHASE 3 £ “CHAN 4 GP 2*SPRUCESSS £ 
=> CAN 4 GP => NCAN 4 GP 3 

PHASE 3 E SCHAWNEN? HIS IGP\CSPROCESSS 


SCP 


$CP 


aCP 


sch 


SCP 


$CP 


SCP 


2 


2 


2 


GP“O*1SARH 
GP*Q*15ARN 
GPADAISARN 
GP0* 15ARM 
GPAQA1SARM 
GPAUrISARM 


GPAOrISARM 


=> CHAN\N<1>GP\r<S2>35<1> => CHAN\*r<I>GP\r<S2> I 


PHASES oo hits gil 34 lie ARM DARM CP P 


DE Zargen 


EECRLSNSUl 2 Y SAD GAS 
MOBIEYNTSI>SNT<Z5SKILL 


22% 


R 3 AQ GP * 


> 


=> MODIFY 2 


PHASE 3 £ *CHANCS#{ 2.8JA0SPROCESSS -> BUFFS<L>AUS<C2> 


BIASEZI ET SERDCESS CP lel AQSOS E CHAN 


=> CAN tel AD => NCAN Jel AO 3 


lel AQS 


GP 


GP 


GP 


GP 


GP 


GP 


15 
23 


33 


25 
13 


23 


285 
286 
287 
288 
289 
290 
291 
292 
293 
294 
295 
296 
297 
298 
299 
300 
301 
302 
303 
304 
305 
306 
307 
308 


PHASE 3 & SPROCESS 
=> CAN 1e2 AO -> 
PHASE 3 & SPROCESS 
& CHAN Jel AO RS 
=> CHAN lel AO Rs 
PHASE 3 £ SPROCESS 
& CHAN 1e2 AO RS 
=> CHAN 122 AO RS 
PHASE 3 & *CHANC SAO 
g 1 
l 
JsPROCESSS => CH 
PHASE 3 & ^STARTSPR 
PHASE 3 6&6 ^CHANCA^N 
=->CHAN\T<I>PR\” 
PHASE 3 6 CHOVENCCP 
=> BUFF 2 PRS$<1 
PHASE, 3.6. CMOVENSS 
PHASE 3 & ^CN\^KNs MOVE 


200 


CP 1.2 A0%0S E “CHAN 122 AOS 
NCAN 102 AO } 
CP 1.1 AO-IS £ “CHAN Jel AO RSPROCESSS 


<5>5<3> «=> CHAN 1.1 AO Rs<s> 3 
CP 102 A0*]15 £ “CHAN 1.2 AO RSPROCESSS 


<S>5<3> -> CHAN 1.22 AO RS<3> | 
Sul 23 4%. 

el AO\* => eo AO e $ 

e2 AQ\* => o AO o 5 
ANS<CI>AO\^<1>$<2> => CHANS <1>A0\%<] >} 
GiGESS "CFs? PRS => PROCESSS<]> |} 
IBIPR\TSPROCESSS 
<2335<1> => CHAN\?<I1>PR\7%<2> i 
CS$#1 2 eSJAOS 

350 MOVENS<ISCPS<SI1SA0S<2> $ 
=> PROCESSS<I> 5; 

NEWSIS => CAN 2 PR => NCAN 2 PR $ 


PHASE 3 & “NFUSPROCESS CPTSH] 2 „2IA0OS => BUFF 2 PRS<2> 


*0 NEW OS<] 


PHASE & “*CHANSPRO 


Lo 


> 3 
CESS CPESW] 2 sh IJAOS => DUFF 2 PRS<2> ^ } 


PHASE 3 E PROCESS CPESRI 2 5 JA0OS => BUFF 2 PRS<1>* 5 
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